fix: explicit authorization (#3453)

* fix: explicit authorization * .
avo-hq · Nov 22, 2024 · f61dd2b · f61dd2b
1 parent 49265e8
commit f61dd2b
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 7 deletions.
diff --git a/app/controllers/avo/associations_controller.rb b/app/controllers/avo/associations_controller.rb
@@ -155,11 +155,13 @@ def reflection_class
     end
 
     def authorize_if_defined(method, record = @record)
+      return unless Avo.configuration.authorization_enabled?
+
       @authorization.set_record(record)
 
       if @authorization.has_method?(method.to_sym)
         @authorization.authorize_action method.to_sym
-      elsif !@authorization.is_a?(Avo::Services::AuthorizationService) && Avo.configuration.explicit_authorization
+      elsif Avo.configuration.explicit_authorization
         raise Avo::NotAuthorizedError.new
       end
     end

diff --git a/lib/avo/concerns/checks_assoc_authorization.rb b/lib/avo/concerns/checks_assoc_authorization.rb
@@ -5,6 +5,8 @@ module ChecksAssocAuthorization
 
       # Ex: A Post has many Comments
       def authorize_association_for(policy_method)
+        return true unless Avo.configuration.authorization_enabled?
+
         # Use the related_name as the base of the association
         association_name = @reflection&.name
         return true if association_name.blank?
@@ -34,10 +36,8 @@ def authorize_association_for(policy_method)
 
         if service.has_method?(method_name, raise_exception: false)
           service.authorize_action(method_name, record:, raise_exception: false)
-        elsif !service.is_a?(Avo::Services::AuthorizationService)
-          !Avo.configuration.explicit_authorization
         else
-          true
+          !Avo.configuration.explicit_authorization
         end
       end
     end

diff --git a/lib/avo/configuration.rb b/lib/avo/configuration.rb
@@ -123,6 +123,12 @@ def initialize
       @associations_lookup_list_limit = 1000
     end
 
+    # Authorization is enabled when:
+    # (avo-pro gem is installed) AND (authorization_client is NOT nil)
+    def authorization_enabled?
+      @authorization_enabled ||= Avo.plugin_manager.installed?(:avo_pro) && !authorization_client.nil?
+    end
+
     def current_user_method(&block)
       @current_user = block if block.present?
     end

diff --git a/lib/avo/fields/has_base_field.rb b/lib/avo/fields/has_base_field.rb
@@ -94,15 +94,15 @@ def component_for_view(view = Avo::ViewInquirer.new("index"))
       end
 
       def authorized?
+        return true unless Avo.configuration.authorization_enabled?
+
         method = :"view_#{id}?"
         service = field_resource.authorization
 
         if service.has_method? method
           service.authorize_action(method, raise_exception: false)
-        elsif !service.is_a?(Avo::Services::AuthorizationService)
-          !Avo.configuration.explicit_authorization
         else
-          true
+          !Avo.configuration.explicit_authorization
         end
       end