From 2e472f110305f095d1219869023ded8bf23a6d2b Mon Sep 17 00:00:00 2001 From: Paul Bob Date: Wed, 3 Jul 2024 16:26:19 +0300 Subject: [PATCH 1/3] feature: apply target resource policy on belongs_to field create new link --- lib/avo/fields/belongs_to_field.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/avo/fields/belongs_to_field.rb b/lib/avo/fields/belongs_to_field.rb index 0817368f3d..6a97f0a796 100644 --- a/lib/avo/fields/belongs_to_field.rb +++ b/lib/avo/fields/belongs_to_field.rb @@ -281,8 +281,12 @@ def index_link_to_record end end + # field :user, as: :belongs_to, can_create: true + # Only can create when: + # - `can_create: true` option is present + # - target resource's policy allow creation (UserPolicy in this example) def can_create? - @can_create + @can_create && target_resource.authorization.authorize_action(:create, raise_exception: false) end def form_field_label From 8773589214ed9a8abe0b964fdbcbf0f9ee031a2b Mon Sep 17 00:00:00 2001 From: Paul Bob Date: Wed, 3 Jul 2024 18:02:50 +0300 Subject: [PATCH 2/3] fix polymorphic --- .../avo/fields/belongs_to_field/edit_component.html.erb | 5 +++-- lib/avo/fields/belongs_to_field.rb | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/app/components/avo/fields/belongs_to_field/edit_component.html.erb b/app/components/avo/fields/belongs_to_field/edit_component.html.erb index 43cd70ee36..2f99e808a8 100644 --- a/app/components/avo/fields/belongs_to_field/edit_component.html.erb +++ b/app/components/avo/fields/belongs_to_field/edit_component.html.erb @@ -66,8 +66,9 @@ <%= @form.hidden_field @field.id_input_foreign_key %> <% end %> <% end %> - <% if field.can_create? %> - <% create_href = create_path(Avo.resource_manager.get_resource_by_model_class(type.to_s)) %> + <% target_resource_for_type = Avo.resource_manager.get_resource_by_model_class(type.to_s) %> + <% if field.can_create?(target_resource_for_type) %> + <% create_href = create_path(target_resource_for_type) %> <% if !disabled && create_href.present? %> <%= link_to t("avo.create_new_item", item: type.model_name.human.downcase), create_href, diff --git a/lib/avo/fields/belongs_to_field.rb b/lib/avo/fields/belongs_to_field.rb index 6a97f0a796..4c8a8ab593 100644 --- a/lib/avo/fields/belongs_to_field.rb +++ b/lib/avo/fields/belongs_to_field.rb @@ -285,8 +285,10 @@ def index_link_to_record # Only can create when: # - `can_create: true` option is present # - target resource's policy allow creation (UserPolicy in this example) - def can_create? - @can_create && target_resource.authorization.authorize_action(:create, raise_exception: false) + def can_create?(forced_target_resource) + return unless @can_create + + (forced_target_resource || target_resource).authorization.authorize_action(:create, raise_exception: false) end def form_field_label From baccf6f32720a5cf842d7a4830a18c4485fdabfe Mon Sep 17 00:00:00 2001 From: Paul Bob Date: Wed, 3 Jul 2024 18:05:33 +0300 Subject: [PATCH 3/3] fix --- lib/avo/fields/belongs_to_field.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/avo/fields/belongs_to_field.rb b/lib/avo/fields/belongs_to_field.rb index 4c8a8ab593..5781083f2c 100644 --- a/lib/avo/fields/belongs_to_field.rb +++ b/lib/avo/fields/belongs_to_field.rb @@ -285,10 +285,8 @@ def index_link_to_record # Only can create when: # - `can_create: true` option is present # - target resource's policy allow creation (UserPolicy in this example) - def can_create?(forced_target_resource) - return unless @can_create - - (forced_target_resource || target_resource).authorization.authorize_action(:create, raise_exception: false) + def can_create?(final_target_resource = target_resource) + @can_create && final_target_resource.authorization.authorize_action(:create, raise_exception: false) end def form_field_label