Replies: 3 comments
-
|
I don't consider this a bug. For example, consider an action item (which likely contains a link) can still be displayed even if the user doesn't have access. Although it can be supplied a hook (if block) to control whether it's rendered or not. The policy should prevent not the display of the link but an unauthorized user from loading the page. If you click the link as an unauthorized user, does the page still load? |
Beta Was this translation helpful? Give feedback.
-
|
I thought the default behavior was either to hide the link completely like it's the case with "Edit"/"Destroy" buttons etc. ...or, in case of In my project, users can manage sub-resources, to which they get from parent#index page. They don't have access to parent#show nor parent#edit. Does that make sense? PS the page doesn't load. It fails authorization. |
Beta Was this translation helpful? Give feedback.
-
I like this idea |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I've noticed that, with nested resources, the breadcrumbs are being generated with links to #show page of the parent resource, even if the current user is not authorized to show/edit the parent resource.
This is where the issue starts:
https://github.com/activeadmin/activeadmin/blob/master/app/views/active_admin/_page_header.html.erb#L3
https://github.com/activeadmin/activeadmin/blob/master/app/helpers/active_admin/breadcrumb_helper.rb#L7
and here's where the bug is:
activeadmin/app/helpers/active_admin/breadcrumb_helper.rb
Lines 32 to 35 in 3976a37
It checks if
#showaction is defined, but not whether current user is authorized to perform#showaction.It also doesn't consider the case that's used in other places where
#showaction is automatically replaced by#editaction when current user is not authorized to perform#show, but is authorized to perform#edit.Beta Was this translation helpful? Give feedback.
All reactions