Ensure HTTP status See Other (303) for form submissions

Turbo requires us to use the HTTP status code 303 for successful form submissions after stateful server changes.

See https://turbo.hotwired.dev/handbook/drive#redirecting-after-a-form-submission

Author: MrSerth

app/controllers/application_controller.rb

@@ -142,15 +142,15 @@ def render_error(message, status)
       format.any do
         # Prevent redirect loop
         if request.url == request.referer || request.referer&.match?(sign_in_path)
-          redirect_to :root, alert: message
+          redirect_to :root, alert: message, status: :see_other
         # Redirect to main domain if the request originated from our render_host
         elsif request.path == '/' && request.host == RENDER_HOST
-          redirect_to Rails.application.config.action_mailer.default_url_options, allow_other_host: true
+          redirect_to Rails.application.config.action_mailer.default_url_options, allow_other_host: true, status: :see_other
         elsif current_user.nil? && status == :unauthorized
           session[:return_to_url] = request.fullpath if current_user.nil?
-          redirect_to sign_in_path, alert: t('application.not_signed_in')
+          redirect_to sign_in_path, alert: t('application.not_signed_in'), status: :see_other
         else
-          redirect_back fallback_location: :root, allow_other_host: false, alert: message
+          redirect_back fallback_location: :root, allow_other_host: false, alert: message, status: :see_other
         end
       end
       format.json { render json: {error: message}, status: }

app/controllers/code_ocean/files_controller.rb

@@ -67,7 +67,7 @@ def create_and_respond(options = {})
           filename = "#{@object.path || ''}/#{@object.name || ''}#{@object.file_type.try(:file_extension) || ''}"
           format.html do
             flash[:danger] = t('code_ocean/files.error.filename', name: filename)
-            redirect_to(options[:path])
+            redirect_to options[:path], status: :see_other
           end
           format.json { render(json: @object.errors, status: :unprocessable_content) }
         end

app/controllers/concerns/common_behavior.rb

@@ -24,7 +24,7 @@ def destroy_and_respond(options = {})
     @object.destroy
     respond_to do |format|
       path = options[:path] || send(:"#{@object.class.model_name.collection}_path")
-      format.html { redirect_to(path, notice: t('shared.object_destroyed', model: @object.class.model_name.human)) }
+      format.html { redirect_to path, notice: t('shared.object_destroyed', model: @object.class.model_name.human), status: :see_other }
       format.json { head(:no_content) }
     end
   end
@@ -36,7 +36,7 @@ def respond_with_invalid_object(format, options = {})
   end
 
   def respond_with_valid_object(format, options = {})
-    format.html { redirect_to(options[:path], notice: options[:notice]) }
+    format.html { redirect_to options[:path], notice: options[:notice], status: :see_other }
     format.json { render(:show, location: @object, status: options[:status]) }
   end
   private :respond_with_valid_object

app/controllers/concerns/lti.rb

@@ -110,11 +110,11 @@ def return_to_consumer(options = {})
     # The `lti_msg` is displayed to the user as an information.
     return_url = consumer_return_url(@provider, options)
     if return_url && URI.parse(return_url).absolute?
-      redirect_to(return_url, allow_other_host: true)
+      redirect_to return_url, allow_other_host: true, status: :see_other
     else
       flash[:danger] = options[:lti_errormsg]
       flash[:info] = options[:lti_msg]
-      redirect_to(:root)
+      redirect_to :root, status: :see_other
     end
   end
 

app/controllers/concerns/redirect_behavior.rb

@@ -27,7 +27,7 @@ def redirect_after_submit
   def redirect_to_community_solution
     url = edit_community_solution_path(@community_solution, lock_id: @community_solution_lock.id)
     respond_to do |format|
-      format.html { redirect_to(url) }
+      format.html { redirect_to url, status: :see_other }
       format.json { render(json: {redirect: url}) }
     end
   end
@@ -67,7 +67,7 @@ def redirect_to_user_feedback
           end
 
     respond_to do |format|
-      format.html { redirect_to(url) }
+      format.html { redirect_to url, status: :see_other }
       format.json { render(json: {redirect: url}) }
     end
   end
@@ -81,7 +81,7 @@ def redirect_to_unsolved_rfc(own: false)
     @rfc.increment!(:times_featured) unless own # rubocop:disable Rails/SkipsModelValidations
 
     respond_to do |format|
-      format.html { redirect_to(@rfc) }
+      format.html { redirect_to @rfc, status: :see_other }
       format.json { render(json: {redirect: url_for(@rfc)}) }
     end
   end
@@ -111,7 +111,7 @@ def redirect_to_lti_return_path
 
     path = lti_return_path(submission_id: @submission.id)
     respond_to do |format|
-      format.html { redirect_to(path) }
+      format.html { redirect_to path, status: :see_other }
       format.json { render(json: {redirect: path}) }
     end
   end

app/controllers/concerns/webauthn/authentication.rb

@@ -39,7 +39,7 @@ def authenticate(user)
         _sign_in_as(user)
         return _finalize_login(user) if user.fully_authenticated?
 
-        redirect_to new_webauthn_credential_authentication_path
+        redirect_to new_webauthn_credential_authentication_path, status: :see_other
         user
       end
 
@@ -92,7 +92,7 @@ def destroy_webauthn_cookie(_user = nil)
 
       # Redirect to the WebAuthn authentication page if the user has not completed the WebAuthn authentication.
       def _require_webauthn_credential_authentication(user = current_user)
-        redirect_to new_webauthn_credential_authentication_path unless _webauthn_credential_authentication_completed?(user)
+        redirect_to(new_webauthn_credential_authentication_path, status: :see_other) unless _webauthn_credential_authentication_completed?(user)
       end
 
       # Finish the login process and redirect the user to the return_to_url.

app/controllers/error_template_attributes_controller.rb

@@ -42,7 +42,7 @@ def create
     respond_to do |format|
       if @error_template_attribute.save
         format.html do
-          redirect_to @error_template_attribute, notice: t('shared.object_created', model: @error_template_attribute.class.model_name.human)
+          redirect_to @error_template_attribute, notice: t('shared.object_created', model: @error_template_attribute.class.model_name.human), status: :see_other
         end
         format.json { render :show, status: :created, location: @error_template_attribute }
       else
@@ -59,7 +59,7 @@ def update
     respond_to do |format|
       if @error_template_attribute.update(error_template_attribute_params)
         format.html do
-          redirect_to @error_template_attribute, notice: t('shared.object_updated', model: @error_template_attribute.class.model_name.human)
+          redirect_to @error_template_attribute, notice: t('shared.object_updated', model: @error_template_attribute.class.model_name.human), status: :see_other
         end
         format.json { render :show, status: :ok, location: @error_template_attribute }
       else
@@ -76,7 +76,7 @@ def destroy
     @error_template_attribute.destroy
     respond_to do |format|
       format.html do
-        redirect_to ErrorTemplateAttribute, notice: t('shared.object_destroyed', model: @error_template_attribute.class.model_name.human)
+        redirect_to ErrorTemplateAttribute, notice: t('shared.object_destroyed', model: @error_template_attribute.class.model_name.human), status: :see_other
       end
       format.json { head :no_content }
     end

app/controllers/error_templates_controller.rb

@@ -40,7 +40,7 @@ def create
 
     respond_to do |format|
       if @error_template.save
-        format.html { redirect_to @error_template, notice: t('shared.object_created', model: @error_template.class.model_name.human) }
+        format.html { redirect_to @error_template, notice: t('shared.object_created', model: @error_template.class.model_name.human), status: :see_other }
         format.json { render :show, status: :created, location: @error_template }
       else
         format.html { render :new, status: :unprocessable_content }
@@ -55,7 +55,7 @@ def update
     authorize!
     respond_to do |format|
       if @error_template.update(error_template_params)
-        format.html { redirect_to @error_template, notice: t('shared.object_updated', model: @error_template.class.model_name.human) }
+        format.html { redirect_to @error_template, notice: t('shared.object_updated', model: @error_template.class.model_name.human), status: :see_other }
         format.json { render :show, status: :ok, location: @error_template }
       else
         format.html { render :edit, status: :unprocessable_content }
@@ -70,7 +70,7 @@ def destroy
     authorize!
     @error_template.destroy
     respond_to do |format|
-      format.html { redirect_to ErrorTemplate, notice: t('shared.object_destroyed', model: @error_template.class.model_name.human) }
+      format.html { redirect_to ErrorTemplate, notice: t('shared.object_destroyed', model: @error_template.class.model_name.human), status: :see_other }
       format.json { head :no_content }
     end
   end
@@ -79,7 +79,7 @@ def add_attribute
     authorize!
     @error_template.error_template_attributes << ErrorTemplateAttribute.find(params[:error_template_attribute_id])
     respond_to do |format|
-      format.html { redirect_to @error_template }
+      format.html { redirect_to @error_template, status: :see_other }
       format.json { head :no_content }
     end
   end
@@ -88,7 +88,7 @@ def remove_attribute
     authorize!
     @error_template.error_template_attributes.delete(ErrorTemplateAttribute.find(params[:error_template_attribute_id]))
     respond_to do |format|
-      format.html { redirect_to @error_template }
+      format.html { redirect_to @error_template, status: :see_other }
       format.json { head :no_content }
     end
   end

app/controllers/execution_environments_controller.rb

@@ -194,9 +194,9 @@ def sync_to_runner_management
       Runner.strategy_class.sync_environment(@execution_environment)
     rescue Runner::Error => e
       Rails.logger.warn { "Runner error while synchronizing execution environment with id #{@execution_environment.id}: #{e.message}" }
-      redirect_to @execution_environment, alert: t('execution_environments.index.synchronize.failure', error: ERB::Util.html_escape(e.message))
+      redirect_to @execution_environment, alert: t('execution_environments.index.synchronize.failure', error: ERB::Util.html_escape(e.message)), status: :see_other
     else
-      redirect_to @execution_environment, notice: t('execution_environments.index.synchronize.success')
+      redirect_to @execution_environment, notice: t('execution_environments.index.synchronize.success'), status: :see_other
     end
   end
 
@@ -239,9 +239,9 @@ def sync_all_to_runner_management
     end
 
     if success.all?
-      redirect_to ExecutionEnvironment, notice: t('execution_environments.index.synchronize_all.success')
+      redirect_to ExecutionEnvironment, notice: t('execution_environments.index.synchronize_all.success'), status: :see_other
     else
-      redirect_to ExecutionEnvironment, alert: t('execution_environments.index.synchronize_all.failure')
+      redirect_to ExecutionEnvironment, alert: t('execution_environments.index.synchronize_all.failure'), status: :see_other
     end
   end
 

app/controllers/exercises_controller.rb

@@ -59,10 +59,10 @@ def clone
     exercise = @exercise.duplicate(public: false, token: nil, user: current_user, uuid: nil)
     exercise.send(:generate_token)
     if exercise.save
-      redirect_to(exercise_path(exercise), notice: t('shared.object_cloned', model: Exercise.model_name.human))
+      redirect_to exercise_path(exercise), notice: t('shared.object_cloned', model: Exercise.model_name.human), status: :see_other
     else
       flash[:danger] = t('shared.message_failure')
-      redirect_to(@exercise)
+      redirect_to @exercise, status: :see_other
     end
   end
 
@@ -238,7 +238,7 @@ def download_proforma
     zip_file = ProformaService::ExportTask.call(exercise: @exercise)
     send_data(zip_file.string, type: 'application/zip', filename: "exercise_#{@exercise.id}.zip", disposition: 'attachment')
   rescue ProformaXML::PostGenerateValidationError => e
-    redirect_to :root, danger: JSON.parse(e.message).join('<br>')
+    redirect_to :root, danger: JSON.parse(e.message).join('<br>'), status: :see_other
   end
 
   def user_from_api_key
@@ -331,7 +331,7 @@ def handle_exercise_tips(tips_params)
       ExerciseTip.destroy(previous_exercise_tips - remaining_exercise_tips)
     rescue JSON::ParserError => e
       flash[:danger] = "JSON error: #{e.message}"
-      redirect_to(edit_exercise_path(@exercise))
+      redirect_to edit_exercise_path(@exercise), status: :see_other
     end
   end
 
@@ -349,7 +349,7 @@ def update_exercise_tips(exercise_tips, parent_exercise_tip_id, rank)
       rank += 1
       unless current_exercise_tip.save
         flash[:danger] = current_exercise_tip.errors.full_messages.join('. ')
-        redirect_to(edit_exercise_path(@exercise)) and break
+        redirect_to(edit_exercise_path(@exercise), status: :see_other) and break
       end
 
       children = update_exercise_tips exercise_tip[:children], current_exercise_tip.id, rank
@@ -371,17 +371,16 @@ def implement # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedC
         session.delete(:pair_programming)
         @current_contributor = current_user
       else
-        return redirect_back_or_to(
-          implement_exercise_path(current_contributor.exercise),
-          alert: t('exercises.implement.existing_programming_group', exercise: current_contributor.exercise.title)
-        )
+        return redirect_back_or_to implement_exercise_path(current_contributor.exercise),
+          alert: t('exercises.implement.existing_programming_group', exercise: current_contributor.exercise.title),
+          status: :see_other
       end
     elsif session[:pg_id].blank? && (pg = current_user.programming_groups.find_by(exercise: @exercise)) && pg.submissions.where(study_group_id: current_user.current_study_group_id).any?
       # we are just acting on behalf of a single user who has already worked on this exercise as part of a programming group **in the context of the current study group**
       session[:pg_id] = pg.id
       @current_contributor = pg
     elsif session[:pg_id].blank? && session[:pair_programming] == 'mandatory'
-      return redirect_back_or_to(new_exercise_programming_group_path(@exercise))
+      return redirect_back_or_to new_exercise_programming_group_path(@exercise), status: :see_other
     elsif session[:pg_id].blank? && session[:pair_programming] == 'optional' && current_user.submissions.where(study_group_id: current_user.current_study_group_id, exercise: @exercise).none?
       Event.find_or_create_by(category: 'pp_work_alone', user: current_user, exercise: @exercise, data: nil, file_id: nil)
       current_user.pair_programming_waiting_users&.find_by(exercise: @exercise)&.update(status: :worked_alone)
@@ -492,9 +491,9 @@ def not_authorized_for_exercise(_exception)
     return render_not_authorized unless %w[implement working_times intervention reload].include?(action_name)
 
     if current_user.admin? || current_user.teacher?
-      redirect_to(@exercise, alert: t('exercises.implement.unpublished')) if @exercise.unpublished?
-      redirect_to(@exercise, alert: t('exercises.implement.no_files')) unless @exercise.files.visible.exists?
-      redirect_to(@exercise, alert: t('exercises.implement.no_execution_environment')) if @exercise.execution_environment.blank?
+      redirect_to(@exercise, alert: t('exercises.implement.unpublished'), status: :see_other) if @exercise.unpublished?
+      redirect_to(@exercise, alert: t('exercises.implement.no_files'), status: :see_other) unless @exercise.files.visible.exists?
+      redirect_to(@exercise, alert: t('exercises.implement.no_execution_environment'), status: :see_other) if @exercise.execution_environment.blank?
     else
       render_not_authorized
     end