Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for authorizing AJAX requests #16

Open
denisahearn opened this issue Dec 7, 2019 · 1 comment
Open

Support for authorizing AJAX requests #16

denisahearn opened this issue Dec 7, 2019 · 1 comment
Labels
help wanted

Comments

@denisahearn
Copy link

denisahearn commented Dec 7, 2019
edited
Loading

We are using ActiveAdmin's PunditAdapter to provide authorization of the ActiveAdmin controller actions. After we integrated activeadmin-searchable_select with AJAX, we ran into an issue with the *_options controller actions. They would execute without first authorizing the request, and as a result would fail due to a Pundit::AuthorizationNotPerformedError error.

We have worked around the problem by overriding the ActiveAdmin::SearchableSelect::ResourceDSLExtension:: searchable_select_options method in an initializer, by calling an authorize method (in our ApplicationController class) prior to calling render within the collection_action block:

module ActiveAdmin
  module SearchableSelect
    module ResourceDSLExtension
      def searchable_select_options(name: :all, **options)
        option_collection = OptionCollection.new(name, options)
        config.searchable_select_option_collections[name] = option_collection

        collection_action(option_collection.collection_action_name) do
          #--------------------------------------------------
          # Customization
          authorize :application
          #--------------------------------------------------
          render(json: option_collection.as_json(self, params))
        end
      end
    end
  end
end

While this works, we would prefer not to override/replace code in the gem. Would it be possible to enhance the gem to use ActiveAdmin's built-in authorization to authorize the *_options requests?

Thanks,
Denis
@tf
Copy link
Member

tf commented Dec 9, 2019

In my use cases so far, authorization could be handled by limiting the scope to things the current user is allowed to see. So basically everyone was allowed to call all option endpoints, but might get an empty response.

I understand, though, that this does not play well with Pundit's verify_authorized feature. If you pass a proc to the scope option, it is evaluated in the context of the collection action. So, technically, you should be able to call authorize there, before returning the scope. That looks rather ugly, though.

I agree, that it would be nice to automatically authorize the requests against the configured authorization adapter. I'm not sure, though, what action should be authorized by default. Also the change needs to be made in a way that preserves backwards compatibility for current users of the Pundit adapter.

So maybe a middle ground could be introducing a new authorize option which takes the name of the method to call on the resource's policy?

ActiveAdmin.register Category do
  searchable_select_options(scope: Category.all,
                            authorize: :get_options, # Makes collection action call CategoryPolicy.get_options?
                            text_attribute: :name)
  end
end

Happy to accept a PR.

@tf tf added the help wanted label Mar 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tf @denisahearn