Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨 enhancement: preview policy #3660

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

🚨 enhancement: preview policy #3660

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a013439
enhancement: log errors rescued `perform_action_and_record_errors`
Paul-Bob Feb 12, 2025
bb0aa4f
enhancement: preview policy
Paul-Bob Feb 12, 2025
937bec6
Merge branch 'main' into enhancement/preview_policy
Paul-Bob Feb 12, 2025
8563eb2
Merge branch 'main' into enhancement/preview_policy
Paul-Bob Feb 13, 2025
224b183
fix preview exposing record.to_param when `show` is not authorized
Paul-Bob Feb 13, 2025
ef16e94
lint
Paul-Bob Feb 13, 2025
1c4b138
lint
Paul-Bob Feb 13, 2025
a891447
fix resource reader
Paul-Bob Feb 13, 2025
8609c42
revert show policy check
Paul-Bob Feb 13, 2025
4dadef5
Merge branch 'main' into enhancement/preview_policy
Paul-Bob Feb 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 1 addition & 8 deletions app/components/avo/fields/preview_field/index_component.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,3 @@
<%= index_field_wrapper(**field_wrapper_args, dash_if_blank: false, class: 'whitespace-no-wrap w-[1%]', flush: true, center_content: true) do %>
<%= link_to resource_view_path,
title: t('avo.view_item', item: @resource.name).humanize,
data: {
controller: "preview",
preview_url_value: helpers.preview_resource_path(resource: @resource, turbo_frame: :preview_modal),
} do %>
<%= helpers.svg("heroicons/outline/magnifying-glass-circle", class: "block h-6 text-gray-600") %>
<% end %>
<%= render_preview %>
<% end %>
23 changes: 23 additions & 0 deletions app/components/avo/fields/preview_field/index_component.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,27 @@
# frozen_string_literal: true

class Avo::Fields::PreviewField::IndexComponent < Avo::Fields::IndexComponent
include Avo::Concerns::ChecksShowAuthorization

def render_preview
# Do not render the link if the user is not authorized to view the resource,
# as the link exposes the result of `record.to_param`.
return preview_icon if !can_view?

link_to resource_view_path, title: t('avo.view_item', item: @resource.name).humanize do
preview_icon
end
end


def preview_icon
helpers.svg(
"heroicons/outline/magnifying-glass-circle",
class: "block h-6 text-gray-600",
data: {
controller: "preview",
preview_url_value: helpers.preview_resource_path(resource: @resource, turbo_frame: :preview_modal),
}
)
end
end
8 changes: 6 additions & 2 deletions app/controllers/avo/base_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,9 +208,13 @@ def destroy
end

def preview
@resource.hydrate(record: @record, view: Avo::ViewInquirer.new(:show), user: _current_user, params: params)
@authorized = @authorization.set_record(@record || @resource.model_class).authorize_action :preview, raise_exception: false

@preview_fields = @resource.get_preview_fields
if @authorized
@resource.hydrate(record: @record, view: Avo::ViewInquirer.new(:show), user: _current_user, params: params)

@preview_fields = @resource.get_preview_fields
end

render layout: params[:turbo_frame].blank?
end
Expand Down
51 changes: 32 additions & 19 deletions app/views/avo/base/preview.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,37 @@
<%= turbo_frame_tag params[:turbo_frame] do %>
<%= content_tag :div, class: "-mx-2" do %>
<%= content_tag :div, class: "px-6 py-4" do %>
<div class="text-md font-semibold uppercase text-gray-800">Previewing <%= @resource.record_title %></div>
<% end %>
<% if @authorized %>
<%= content_tag :div, class: "-mx-2" do %>
<%= content_tag :div, class: "px-6 py-4" do %>
<div class="text-md font-semibold uppercase text-gray-800">Previewing <%= @resource.record_title %></div>
<% end %>

<% if @preview_fields.present? %>
<div class="mt-0 divide-y border-t">
<% @preview_fields.each_with_index do |field, index| %>
<%= render field
.hydrate(
resource: @resource,
record: @resource.record,
user: @resource.user,
view: Avo::ViewInquirer.new(:show)
)
.component_for_view(:show)
.new(field: field, resource: @resource, index: index, compact: true, short: true)
%>
<% end %>
</div>
<% if @preview_fields.present? %>
<div class="mt-0 divide-y border-t">
<% @preview_fields.each_with_index do |field, index| %>
<%= render field
.hydrate(
resource: @resource,
record: @resource.record,
user: @resource.user,
view: Avo::ViewInquirer.new(:show)
)
.component_for_view(:show)
.new(field: field, resource: @resource, index: index, compact: true, short: true)
%>
<% end %>
</div>
<% end %>
<% end %>
<% else %>
<div class="shadow-lg rounded px-4 py-3 rounded relative border text-white pointer-events-auto bg-blue-400 border-blue-600 m-2">
<div class="flex px-2">
<div class="shrink-0">
<%= svg "heroicons/solid/exclamation-circle", class: "h-6" %>
</div>
<div class="ml-3 flex-1 pt-0.5">
<p class="text-sm leading-5 font-semibold"><%= t "avo.not_authorized" %></p>
</div>
</div>
</div>
<% end %>
<% end %>
Loading