Inconsistent behavior excluding models from actions

[mcasimir]

Hi, when I exclude a model from new action RailsAdmin should disallow its creation in any way across the whole admin interface.

RailsAdmin instead allows to create excluded models through association fields (it lets you open a modal fill all fields and save it) and just raises an un-handled error for breadcrumbs when you hit "save and add another" button.

This is pretty annoying and while you can disable 'inline_add' for associations it forces you to resort to authorization to hide the 'add_another' button.

The worst part is that controller actions aren't disabled: I can point the browser to new action path for a model and it always responds with the form. I've not tried but that makes me guess that I can destroy a model excluded from 'delete' action as well.

I think this should be fixed or documented someway.

Anyway I hate having to setup authorization for tasks like hiding a button. Especially if authorization Is not an app requirement (i.e nobody should be able to create a model no matter who he is).

The ideal solution would be to just disallow routes for disabled actions and change the authorized? helper to check also if @abstract_model class is enabled for that action or not.

Something like:

def authorized?(action_name, model)
   action_object = RailsAdmin::Config::Action.all.find {|a| a.action_name.to_s == action.to_s}
   if action_object && action_object.exclude.include?(model.model.name)
     return false
   else
     super(action, model)
   end
end

Thank you very much anyway,
if you wish to fix this I can look at the code deeper and help with a PR.
Just let me know.

[mcasimir]

Ok I can confirm that this is a fix

def authorized?(action_name, abstract_model = nil, object = nil)

  if abstract_model 
    action = RailsAdmin::Config::Actions.find(action_name.to_sym)
    if action && action.except.include?(abstract_model.model_name)
      return false
    end
  end

  @authorization_adapter.nil? || @authorization_adapter.authorized?(action_name, abstract_model, object.try(:new_record?) ? nil : object)

end

As well as I can confirm that the issue is not only related to :new action but also to other actions and that I can access admin/[excluded_model]/[prohibited_action]. The only thing preventing me to use that screen is an incidental error raised by breadcrumbs.

I'll try to wrap rails_admin controller actions in a filter to fix that also.

[mcasimir]

Ok that's my final solution to avoid CanCan, this should definitely be the default behavior, at least in absence of an authorization adapter

# app/controllers/rails_admin/main_controller.rb
before_filter :prevent_disabled_actions, except: RailsAdmin::Config::Actions.all(:root).collect(&:action_name)

def prevent_disabled_actions
  if @abstract_model
    action = RailsAdmin::Config::Actions.find(action_name.to_sym)
    if action && action.except.include?(@abstract_model.model_name)
      raise ActionController::RoutingError.new('Not Found')
    end
  end
end


# app/helpers/rails_admin/application_helper.rb
def authorized?(action_name, abstract_model = nil, object = nil)
  if abstract_model 
    action = RailsAdmin::Config::Actions.all.find {|a| a.authorization_key == action_name.to_sym }
    if action && action.except.include?(abstract_model.model_name)
      return false
    end
  end

  @authorization_adapter.nil? || @authorization_adapter.authorized?(action_name, abstract_model, object.try(:new_record?) ? nil : object)
end

[jorge-marques]

I encountered precisely the same problems. This should definitely be a part of the gem.

[mshibuya]

Fixed in the master 😃

[sbull]

Looks like this fix removed the method rails_admin_controller? (10655cb#diff-2388a820bb4410780d15c562856785f5L76) (added in #351). Is there a reason for this? It has caused a regression for me in upgrading from 0.6.6 to 0.6.7.