avo-hq · Paul-Bob · Oct 1, 2024 · Oct 1, 2024 · Oct 1, 2024 · Oct 1, 2024
diff --git a/app/controllers/avo/associations_controller.rb b/app/controllers/avo/associations_controller.rb
@@ -154,6 +154,8 @@ def authorize_if_defined(method, record = @record)
 
       if @authorization.has_method?(method.to_sym)
         @authorization.authorize_action method.to_sym
+      elsif Avo.configuration.authorization_client.present? && Avo.configuration.implicit_authorization
+        raise Avo::NotAuthorizedError.new
       end
     end
 

diff --git a/lib/avo/concerns/checks_assoc_authorization.rb b/lib/avo/concerns/checks_assoc_authorization.rb
@@ -5,44 +5,38 @@ module ChecksAssocAuthorization
 
       # Ex: A Post has many Comments
       def authorize_association_for(policy_method)
-        policy_result = true
+        # Use the related_name as the base of the association
+        association_name = @reflection&.name
+        return true if association_name.blank?
 
-        if @reflection.present?
-          # Fetch the appropriate resource
-          reflection_resource = field.resource
-          # Fetch the record
-          # Hydrate the resource with the record if we have one
-          reflection_resource.hydrate(record: @parent_record) if @parent_record.present?
-          # Use the related_name as the base of the association
-          association_name = @reflection.name
+        # Fetch the appropriate resource
+        reflection_resource = field.resource
 
-          if association_name.present?
-            method_name = :"#{policy_method}_#{association_name}?".to_sym
+        # Hydrate the resource with the record if we have one
+        reflection_resource.hydrate(record: @parent_record) if @parent_record.present?
 
-            # Use the policy methods from the parent (Post)
-            service = reflection_resource.authorization
+        # Some policy methods should get the parent record in order to have the necessary information to do the authorization
+        # Example: Post->has_many->Comments
+        #
+        # When you want to authorize the creation/attaching of a Comment, you don't have the Comment instance.
+        # But you do have the Post instance and you can get that in your policy to authorize against.
+        record = if policy_method.in? [:view, :create, :attach, :act_on]
+          # Use the parent record (Post)
+          reflection_resource.record
+        else
+          # Override the record with the child record (Comment)
+          resource.record
+        end
 
-            if service.has_method?(method_name, raise_exception: false)
-              # Some policy methods should get the parent record in order to have the necessary information to do the authorization
-              # Example: Post->has_many->Comments
-              #
-              # When you want to authorize the creation/attaching of a Comment, you don't have the Comment instance.
-              # But you do have the Post instance and you can get that in your policy to authorize against.
-              parent_policy_methods = [:view, :create, :attach, :act_on]
+        # Use the policy methods from the parent (Post)
+        service = reflection_resource.authorization
+        method_name = :"#{policy_method}_#{association_name}?".to_sym
 
-              record = if parent_policy_methods.include?(policy_method)
-                # Use the parent record (Post)
-                reflection_resource.record
-              else
-                # Override the record with the child record (Comment)
-                resource.record
-              end
-              policy_result = service.authorize_action(method_name, record: record, raise_exception: false)
-            end
-          end
+        if service.has_method?(method_name, raise_exception: false)
+          service.authorize_action(method_name, record:, raise_exception: false)
+        else
+          !Avo.configuration.implicit_authorization
         end
-
-        policy_result
       end
     end
   end

diff --git a/lib/avo/configuration.rb b/lib/avo/configuration.rb
@@ -18,6 +18,7 @@ class Configuration
     attr_accessor :default_view_type
     attr_accessor :license_key
     attr_accessor :authorization_methods
+    attr_accessor :implicit_authorization
     attr_accessor :authenticate
     attr_accessor :current_user
     attr_accessor :id_links_to_resource
@@ -68,6 +69,7 @@ def initialize
       @license_key = nil
       @current_user = proc {}
       @authenticate = proc {}
+      @implicit_authorization = false
       @authorization_methods = {
         index: "index?",
         show: "show?",

diff --git a/lib/avo/fields/has_base_field.rb b/lib/avo/fields/has_base_field.rb
@@ -100,7 +100,7 @@ def authorized?
         if service.has_method? method
           service.authorize_action(method, raise_exception: false)
         else
-          true
+          !Avo.configuration.implicit_authorization
         end
       end
 

diff --git a/lib/generators/avo/templates/initializer/avo.tt b/lib/generators/avo/templates/initializer/avo.tt
@@ -41,6 +41,7 @@ Avo.configure do |config|
   # }
   # config.raise_error_on_missing_policy = false
   config.authorization_client = nil
+  config.implicit_authorization = true
 
   ## == Localization ==
   # config.locale = 'en-US'