search

avo-hq / avo

Build Ruby on Rails apps 10x faster
https://avohq.io
Other
1.48k stars 230 forks source link

Implicit authorization #2125

Open adrianthedev opened 8 months ago

adrianthedev commented 8 months ago

This disables everything (access to the resource/search/attachments/uploads, everything) until someone implicitly enables them.

Maybe we should introduce a roles system that will handle this.

From https://github.com/avo-hq/avo/discussions/1574

adrianthedev commented 8 months ago

This should work great with https://github.com/avo-hq/avo/issues/2126

icaroryan commented 2 months ago

UP

adrianthedev commented 2 months ago

I wonder if this can be achieved by making all methods return false in the ApplicationPolicy?

icaroryan commented 2 months ago

I've been using some monkey-patching as a workaround, which has been working good so far. Just a little inconvenient having to manually add it for every association.

application_policy.rb

def self.has_association(association, with_full_permissions = false)
  ['create', 'attach', 'detach', 'destroy', 'edit'].each do |action|
    define_method(:"#{action}_#{association}?") { with_full_permissions }
  end
  define_method(:"show_#{association}?") { Pundit.policy!(user, record).show? }
  alias_method :"view_#{association}?", :show?
end

Kudos to @segiddins for sharing this in https://github.com/avo-hq/avo/discussions/1574

As for a more permanent solution, I'm really not sure how.