Search code examples
ruby-on-rails-4pundit

Using Pundit and getting Render and/or redirect were called multiple times

I'm getting the following error when a user isn't allowed to see a page with authorization rules by pundit:

Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...) and return".

This is the application_controller.rb:

class ApplicationController < ActionController::Base    
  # Includes Authorization mechanism
    include Pundit

  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception

  # Globally rescue Authorization Errors in controller.
  # Returning 403 Forbidden if permission is denied
  rescue_from Pundit::NotAuthorizedError, with: :permission_denied

  # Enforces access right checks for individuals resources
  # after_filter :verify_authorized, :except => :index

  # Enforces access right checks for collections
  # after_filter :verify_policy_scoped, :only => :index

  private

  def permission_denied
    flash[:error] = "You don't have the proper permissions to view this page. If you think you are supposed to then please contact us at [email protected]"
    # this is giving a redirect loop error
    redirect_to(request.referrer || root_path)
  end
end

stat_policy.rb:

class StatPolicy
  attr_reader :current_user, :model

  def initialize(current_user, model)
    @current_user = current_user
    @stat = model
  end

  def index?
    @current_user.admin?
  end
end

stats_controller.rb:

class StatsController < ApplicationController
  after_action :authorize_stat

  def index
    @stats = Stat.all
    @stat = Stat.new
    render layout: "stat_layout"
  end

  private
    def authorize_stat
      authorize @stat
    end

    # Use callbacks to share common setup or constraints between actions.
    def set_stat
      @stat = Stat.find(params[:id])
    end

end
Solution

  • There's a strange order of operations that occurs with the after_action. If you set the response_body to nil, it should fix your problem.

      def permission_denied
    flash[:error] = "You don't have the proper permissions to view this page. If you think you are supposed to then please contact us at [email protected]"
    self.response_body = nil # This should resolve the redirect root.
    redirect_to(request.referrer || root_path)
  end