Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implicit authorization #2125

Open
adrianthedev opened this issue Dec 18, 2023 · 4 comments · May be fixed by #3292
Open

Implicit authorization #2125

adrianthedev opened this issue Dec 18, 2023 · 4 comments · May be fixed by #3292
Assignees
@Paul-Bob
Labels
Feature Needs research Security

Comments

@adrianthedev
Copy link
Collaborator

This disables everything (access to the resource/search/attachments/uploads, everything) until someone implicitly enables them.

Maybe we should introduce a roles system that will handle this.

From #1574
@adrianthedev
Copy link
Collaborator Author

This should work great with #2126

@adrianthedev adrianthedev added Help wanted We could use some help with this Security Needs research labels Dec 18, 2023
@icaroryan
Copy link
Contributor

UP

@adrianthedev
Copy link
Collaborator Author

I wonder if this can be achieved by making all methods return false in the ApplicationPolicy?

@icaroryan
Copy link
Contributor

icaroryan commented Jun 28, 2024
edited
Loading

I've been using some monkey-patching as a workaround, which has been working good so far. Just a little inconvenient having to manually add it for every association.

application_policy.rb

def self.has_association(association, with_full_permissions = false)
  ['create', 'attach', 'detach', 'destroy', 'edit'].each do |action|
    define_method(:"#{action}_#{association}?") { with_full_permissions }
  end
  define_method(:"show_#{association}?") { Pundit.policy!(user, record).show? }
  alias_method :"view_#{association}?", :show?
end

Kudos to @segiddins for sharing this in #1574

As for a more permanent solution, I'm really not sure how.

@Paul-Bob Paul-Bob linked a pull request Oct 1, 2024 that will close this issue
Open
6 tasks
@Paul-Bob Paul-Bob added Feature and removed Help wanted We could use some help with this labels Oct 3, 2024
@Paul-Bob Paul-Bob self-assigned this Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Paul-Bob Paul-Bob

Labels
Feature Needs research Security
Projects
Issues
Status: In Review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feature: implicit authorization avo-hq/avo
3 participants
@adrianthedev @icaroryan @Paul-Bob