使用Pundit并获取渲染和/或重定向被多次调用

时间:2014-09-15 20:31:03

标签: ruby-on-rails-4 pundit

当不允许用户通过权威人员查看包含授权规则的页面时,我收到以下错误:

在此操作中多次调用渲染和/或重定向。请注意,您只能调用渲染或重定向,每次操作最多一次。另请注意,重定向和呈现都不会终止执行操作,因此如果要在重定向后退出操作,则需要执行类似“redirect_to(...)并返回”的操作。

这是 application_controller.rb 

class ApplicationController < ActionController::Base    
  # Includes Authorization mechanism
    include Pundit

  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception

  # Globally rescue Authorization Errors in controller.
  # Returning 403 Forbidden if permission is denied
  rescue_from Pundit::NotAuthorizedError, with: :permission_denied

  # Enforces access right checks for individuals resources
  # after_filter :verify_authorized, :except => :index

  # Enforces access right checks for collections
  # after_filter :verify_policy_scoped, :only => :index

  private

  def permission_denied
    flash[:error] = "You don't have the proper permissions to view this page. If you think you are supposed to then please contact us at permissions@inrtracker.com"
    # this is giving a redirect loop error
    redirect_to(request.referrer || root_path)
  end
end

stat_policy.rb 

class StatPolicy
  attr_reader :current_user, :model

  def initialize(current_user, model)
    @current_user = current_user
    @stat = model
  end

  def index?
    @current_user.admin?
  end
end

stats_controller.rb: 

class StatsController < ApplicationController
  after_action :authorize_stat

  def index
    @stats = Stat.all
    @stat = Stat.new
    render layout: "stat_layout"
  end

  private
    def authorize_stat
      authorize @stat
    end

    # Use callbacks to share common setup or constraints between actions.
    def set_stat
      @stat = Stat.find(params[:id])
    end

end

3 个答案:

答案 0 :(得分:7)

after_action发生了奇怪的操作顺序。如果您将response_body设置为nil,则应解决您的问题。

  def permission_denied
    flash[:error] = "You don't have the proper permissions to view this page. If you think you are supposed to then please contact us at permissions@inrtracker.com"
    self.response_body = nil # This should resolve the redirect root.
    redirect_to(request.referrer || root_path)
  end

答案 1 :(得分:1)

接受的答案对我不起作用。我的问题最终导致Turbolinks导致所有链接被双重提交。我不知道Turbolinks问题的原因,但我禁用了Turbolinks,现在一切正常。

答案 2 :(得分:0)

根据Garrett的解决方案,问题是由Turbolinks与Rails渲染流程相结合引起的。我建议放置一个:

,而不是删除非常有用的Turbolinks 
data-turbolinks="false"

在指向导致问题的页面的链接上。就我而言,它恰好发生在带有表单的页面上,比如“新”行为。

相关问题
最新问题