New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filters values aren't using authorization scopes #6883
Comments
Are you up for working on a fix @ngouy? |
mhm 🤔 Have a lot of work ATM (including in my week end 😢 ) so I don't have any time for this |
That'd be great, your help would be super appreciated if you end up finding some time! |
@deivid-rodriguez quick question from a kinda noob active admin open sourcer What would be the best way to have access to Idea would be to override the "#collection" methods by using the adapter scope Once this part is done the rest is formality Another idea would be to prebuild values from scope when building filters and pass them down from the top of the chain to the input builder somewhere here https://github.com/activeadmin/activeadmin/blob/3dcb1834620f38f73ac5c1f550f37986d486f29c/lib/active_admin/filters/resource_extension.rb |
Hello! I'm not fully sure, would have to dig in deeper. I think at this level you only have access to the underlying activerecord object you're creating the form for, so I guess you'd need to explicitly pass the correctly scoped collection to the form manually. So your later idea would seem like the right way to go to me. |
Thank you for your guidance @deivid-rodriguez Will take a look at it |
@deivid-rodriguez I've sent the first shot What do you think about this approach? I'm waiting for even a slight input before "committing" myself into righting the final version and tests |
@ngouy Yes, that the kind of approach I was thinking of, namely, passing a properly build collection to form filters using the |
There is a PR ready for this. Thank you. |
Did you find a bug?
filter values doesn't use policy scopes.
I understand there is a manual way to scope values of a filter, but as a collection of any resources indexes are by default scoped by the policy adapter (when there is one), so should be filter values, it can lead to a serious data breach.
I am even surprised to found nothing on the internet about that
Another possibility is that I am missing something?
Expected behavior
On the user index page, In the filter "company", I should only see my own company
Actual behavior
I see all companies
How to reproduce
The text was updated successfully, but these errors were encountered: