Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

belongs_to field does not use show_action? to control if link should be rendered #2006

Closed
carlost opened this issue Jun 21, 2021 · 3 comments
Closed

belongs_to field does not use show_action? to control if link should be rendered #2006

carlost opened this issue Jun 21, 2021 · 3 comments
Labels
bug breakages in functionality that is implemented

Comments

@carlost
Copy link

carlost commented Jun 21, 2021

  • What were you trying to do?

Wire in authorization checks into administrate, following the guide. Unfortunately, the app/views/fields/belongs_to/_show.html.erb template for belongs_to does not leverage #show_action? to determine if the link should be rendered:

administrate/app/views/fields/belongs_to/_show.html.erb

Lines 18 to 27 in e1baea3

<% if field.data %>
<% if valid_action?(:show, field.associated_class) %>
<%= link_to(
field.display_associated_resource,
[namespace, field.data],
) %>
<% else %>
<%= field.display_associated_resource %>
<% end %>
<% end %>

It checks #valid_action? to see if the action for the resource is "valid", which I interpret as meaning: is the action supported. However, the template does not also check #show_action? prior to rendering the link.

Compare that with how app/views/administrate/application/_collection.html.erb uses both #valid_action? and #show_action? to determine if a link should be rendered.

administrate/app/views/administrate/application/_collection.html.erb

Lines 77 to 83 in e1baea3

<% if valid_action? :edit, collection_presenter.resource_name %>
<td><%= link_to(
t("administrate.actions.edit"),
[:edit, namespace, resource],
class: "action-edit",
) if show_action? :edit, resource%></td>
<% end %>

  • What did you end up with (logs, or, even better, example apps are great!)?

Administrate is generated links to actions that user's are not authorized to follow. If users see a link ... they will click a link.

  • What versions are you running?
    • Rails: 6.1.3.2
    • administrate: 0.16.0
    • ruby: 2.7.3p183

Is this behavior by design? Should i be overriding both valid_action? and show_action? to handle authorization?
@carlost carlost added the bug breakages in functionality that is implemented label Jun 21, 2021
@pablobm
Copy link
Collaborator

pablobm commented Jun 24, 2021

Thank you @carlost. Yeah, there are a few places where this happens, and I'm currently working on something to fix it more cleanly (#1941). Having said that, my changes may still take a while to come, so perhaps you could create a PR that fixes it for BelongsTo for the time being?

@jubilee2
Copy link
Contributor

might fixed in #1941

@pablobm
Copy link
Collaborator

pablobm commented Nov 15, 2022

Indeed, it should be fixed now. Closing, but let me know if this is not the case.

@pablobm pablobm closed this as completed Nov 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug breakages in functionality that is implemented
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pablobm @carlost @jubilee2