Open adrianthedev opened 8 months ago
This should work great with https://github.com/avo-hq/avo/issues/2126
UP
I wonder if this can be achieved by making all methods return false
in the ApplicationPolicy
?
I've been using some monkey-patching as a workaround, which has been working good so far. Just a little inconvenient having to manually add it for every association.
application_policy.rb
def self.has_association(association, with_full_permissions = false)
['create', 'attach', 'detach', 'destroy', 'edit'].each do |action|
define_method(:"#{action}_#{association}?") { with_full_permissions }
end
define_method(:"show_#{association}?") { Pundit.policy!(user, record).show? }
alias_method :"view_#{association}?", :show?
end
Kudos to @segiddins for sharing this in https://github.com/avo-hq/avo/discussions/1574
As for a more permanent solution, I'm really not sure how.
This disables everything (access to the resource/search/attachments/uploads, everything) until someone implicitly enables them.
Maybe we should introduce a roles system that will handle this.
From https://github.com/avo-hq/avo/discussions/1574