search

railsadminteam / rails_admin

RailsAdmin is a Rails engine that provides an easy-to-use interface for managing your data
MIT License
7.91k stars 2.26k forks source link

pundit extension inadvertently asks for all rows from models #2575

Open ctm opened 8 years ago

ctm commented 8 years ago

extensions/pundit/authorization_adapter.rb contains this code:

        def query(_action, abstract_model)
          @controller.policy_scope(abstract_model.model.all)
        rescue ::Pundit::NotDefinedError
          abstract_model.model.all
        end

but at least in pundit 1.1.0, the construction of Pundit::NotDefinedError calls inspect on the scope. This has the effect of retrieving every single row from the database table in question. We ran into this with a table that has over a million rows.

I have monkey-patched our application to get around this. I have also created a PR which has a spec that fails with the existing code and works with my patch. I'm submitting this issue before the PR so my commit can reference this issue.

romikoops commented 7 years ago

I have faced with the same issue today. I do not understand why do we need to use .all in 

@controller.policy_scope(abstract_model.model.all)

What about simple fix the issue with removing .all. That is all!


def query(_action, abstract_model)
   @controller.policy_scope(abstract_model.model)
rescue ::Pundit::NotDefinedError
    abstract_model.model.all
end

@ctm any objections why we can not go with that and cancel your pull request?