Did you find a bug?
ransack method never receives an "auth object" to be used in model methods.
If some filters are shown/hidden using if: based on authorization, this raises an exception now because ransackable_attributes might not be authorizing certain attributes to be searched for certain users.
Expected behavior
|
@search = chain.ransack(params[:q] || {}) |
This line should pass a second argument that represents the auhorizing user. In case of devise, I expect this to be either a user, or a "cancancan" ability (I'm not sure which is the most correct), or something else if a custom auth plugin is used.
Maybe it could pass auth_object: active_admin_authorization, which is effectively what's used for authorization in activeadmin.
Actual behavior
What actually happens?
The auth_object in def self.ransackable_attributes(auth_object = nil) is always nil
How to reproduce
I will omit this since the source code is very explicit on the topic
Ideas
Thinking about this, it opens an incredible opportunity where the auth object could be a wrapper around the authorization adapter and the controller (or the active admin config). In this way, it could be possible to provide a default implementation of ransackable attributes that's based on the action filters (I'm not sure if the same is possible for associations)
Did you find a bug?
ransackmethod never receives an "auth object" to be used in model methods.If some filters are shown/hidden using
if:based on authorization, this raises an exception now becauseransackable_attributesmight not be authorizing certain attributes to be searched for certain users.Expected behavior
activeadmin/lib/active_admin/resource_controller/data_access.rb
Line 218 in ecf730d
This line should pass a second argument that represents the auhorizing user. In case of devise, I expect this to be either a user, or a "cancancan" ability (I'm not sure which is the most correct), or something else if a custom auth plugin is used.
Maybe it could pass
auth_object: active_admin_authorization, which is effectively what's used for authorization in activeadmin.Actual behavior
What actually happens?
The auth_object in
def self.ransackable_attributes(auth_object = nil)is always nilHow to reproduce
I will omit this since the source code is very explicit on the topic
Ideas
Thinking about this, it opens an incredible opportunity where the auth object could be a wrapper around the authorization adapter and the controller (or the active admin config). In this way, it could be possible to provide a default implementation of ransackable attributes that's based on the action filters (I'm not sure if the same is possible for associations)