avo icon indicating copy to clipboard operation
avo copied to clipboard

Published 20 hours ago verified publisher icon avo-hq

Search bar still visible even if not authorized

Open Paul-Bob opened this issue 1 year ago • 8 comments

Describe the bug

If search? policy return false or isn't defined the search bar still visible returning empty results

This can be confusing to debug, if an user is not authorized to search maybe the search bar shouldn't be visible at all.

Mentioned:

  • https://discord.com/channels/740892036978442260/1187426840709693470
  • https://github.com/avo-hq/avo/issues/1750
  • https://github.com/avo-hq/avo/issues/1778

Paul-Bob avatar Dec 21 '23 18:12 Paul-Bob

This bites me a few time in times in the past too

Maybe a way to solve it would be to be able to set a default policy for each resource. This is what I am doing but I need to manually add this policy to all my new resources and sometimes I forget.

If either the generator could add in comment

# self.authorization_policy = Admin::BasePolicy

or

in avo.rb we could define a base policy I think it would help

adrienpoly avatar Dec 22 '23 06:12 adrienpoly

I'm curious on how you have your policies in the project. I noticed the Admin namespace.

I'm saying that because policies are automatically added to resources if they are not namespace.

Example: UserPolicy -> Avo::Resources::User

adrianthedev avatar Dec 22 '23 09:12 adrianthedev

in avo.rb we could define a base policy I think it would help

I always thought that users will default to the ApplicationPolicy that pundit sets up for you. But I see what you mean...

  1. You generate a resource
  2. gotta make sure the policy is applied
  3. then add rules

We'll evaluate this approach. I'm just a bit afraid of all the if/elses we should add and the mental model that developers have right now.

adrianthedev avatar Dec 22 '23 09:12 adrianthedev

We found that using the default resource policy does not work for us. As those policies are tied to the application they have lots of things that can be prevented for a user. A solution would be to always authorize if the user is an admin but then it becomes very complicated to maintain. Therefore we have created an admin namespace with an Admin::ApplicationPolicy and then resources policies inheriting from this base application policy.

so very often in a resource I will either add

self.authorization_policy = Admin::ApplicationPolicy

or create a new policy file and add it to my resource

adrienpoly avatar Dec 22 '23 09:12 adrienpoly

This issue has been marked as stale because there was no activity for the past 15 days.

github-actions[bot] avatar Jan 07 '24 02:01 github-actions[bot]

Closing this because there was no activity for the past 15 days. Feel free to reopen if new information pops up ✌️

github-actions[bot] avatar Jan 22 '24 02:01 github-actions[bot]

Closing this because there was no activity for the past 15 days. Feel free to reopen if new information pops up ✌️

github-actions[bot] avatar Feb 18 '24 01:02 github-actions[bot]

This issue has been marked as stale because there was no activity for the past 15 days.

github-actions[bot] avatar Mar 06 '24 01:03 github-actions[bot]