search

avo-hq / avo

Build Ruby on Rails apps 10x faster
https://avohq.io
Other
1.5k stars 238 forks source link

Tool generator generates unsecured route. #1979

Open MrJoy opened 11 months ago

MrJoy commented 11 months ago

Describe the bug

When using rails generate avo:tool, the update to routes.rb produces a route that is not protected by Devise.

Specifically, it produces:

  scope :admin do
    get "my_tool", to: "avo/tools#my_tool"
  end

This should be within an authenticate block.

Steps to Reproduce

Steps to reproduce the behavior:

  1. rails generate avo:tool my_tool

Expected behavior & Actual behavior

Models and resource files

System configuration

Avo version: 3.0.1.beta20

Rails version: 7.0.8

Ruby version: 3.2.2

License type:

Are you using Avo monkey patches, overriding views or view components?

Screenshots or screen recordings

Additional context

Impact

Urgency

adrianthedev commented 11 months ago

Because custom tools are very much regular Rails code, we presumed that users will move that route into their routing scheme anyway.

But you have a good point. I added the "Help wanted" label. Hopefully, someone can contribute this feature.

enderahmetyurt commented 2 days ago

I can look after it @adrianthedev if it's still available.

Paul-Bob commented 2 days ago

Thank you @enderahmetyurt!

Paul-Bob commented 2 days ago

Could we pause this for now? I'm uncertain whether we should move forward with it.

  1. Why enforce the route to be tied to a specific gem (devise) when Avo doesn't actually require it?
  2. Why generate the route inside a block if we're unsure whether the user wants it? @MrJoy wants it under authentication (devise specifically) but others might want an info page that's accessible to everyone or another authentication method

In my opinion, we should keep the route generation stupid simple. The goal is to provide a starting point that you can customize as needed, rather than delivering a fully finalized solution.