Module: Avo::Concerns::ChecksAssocAuthorization

Extended by:
ActiveSupport::Concern
Included in:
ChecksShowAuthorization, ResourceComponent
Defined in:
lib/avo/concerns/checks_assoc_authorization.rb

Instance Method Summary collapse

Instance Method Details

#authorize_association_for(policy_method) ⇒ Object

Ex: A Post has many Comments



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'lib/avo/concerns/checks_assoc_authorization.rb', line 7

def authorize_association_for(policy_method)
  return true unless Avo.configuration.authorization_enabled?

  # Use the related_name as the base of the association
  association_name = @reflection&.name
  return true if association_name.blank?

  # Fetch the appropriate resource
  reflection_resource = field.resource

  # Hydrate the resource with the record if we have one
  reflection_resource.hydrate(record: @parent_record) if @parent_record.present?

  # Some policy methods should get the parent record in order to have the necessary information to do the authorization
  # Example: Post->has_many->Comments
  #
  # When you want to authorize the creation/attaching of a Comment, you don't have the Comment instance.
  # But you do have the Post instance and you can get that in your policy to authorize against.
  record = if policy_method.in? [:view, :create, :attach, :act_on]
    # Use the parent record (Post)
    reflection_resource.record
  else
    # Override the record with the child record (Comment)
    resource.record
  end

  # Use the policy methods from the parent (Post)
  service = reflection_resource.authorization
  method_name = :"#{policy_method}_#{association_name}?".to_sym

  if service.has_method?(method_name, raise_exception: false)
    service.authorize_action(method_name, record:, raise_exception: false)
  else
    !Avo.configuration.explicit_authorization
  end
end