feature: apply show policy on click_row_to_view_record (#3213)

* fix: apply `show` policy on `click_row_to_view_record` * simplify
avo-hq · Sep 5, 2024 · 4f318a8 · 4f318a8
1 parent d00266f
commit 4f318a8
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 10 deletions.
diff --git a/app/components/avo/index/resource_controls_component.rb b/app/components/avo/index/resource_controls_component.rb
@@ -2,6 +2,7 @@
 
 class Avo::Index::ResourceControlsComponent < Avo::ResourceComponent
   include Avo::ApplicationHelper
+  include Avo::Concerns::ChecksShowAuthorization
 
   prop :resource, _Nilable(Avo::BaseResource)
   prop :reflection, _Nilable(ActiveRecord::Reflection::AbstractReflection)
@@ -20,15 +21,6 @@ def can_edit?
     @resource.authorization.authorize_action(:edit, raise_exception: false)
   end
 
-  def can_view?
-    return false if Avo.configuration.resource_default_view.edit?
-
-    return authorize_association_for(:show) if @reflection.present?
-
-    # Even if there's a @reflection object present, for show we're going to fallback to the original policy.
-    @resource.authorization.authorize_action(:show, raise_exception: false)
-  end
-
   def show_path
     helpers.resource_show_path(resource: @resource, parent_or_child_resource: parent_or_child_resource, parent_resource: parent_resource, parent_record: @parent_record)
   end

diff --git a/app/components/avo/index/table_row_component.rb b/app/components/avo/index/table_row_component.rb
@@ -2,6 +2,7 @@
 
 class Avo::Index::TableRowComponent < Avo::BaseComponent
   include Avo::ResourcesHelper
+  include Avo::Concerns::ChecksShowAuthorization
 
   attr_writer :header_fields
 
@@ -24,5 +25,7 @@ def resource_controls_component
     )
   end
 
-  def click_row_to_view_record = Avo.configuration.click_row_to_view_record
+  def click_row_to_view_record
+    Avo.configuration.click_row_to_view_record && can_view?
+  end
 end
diff --git a/lib/avo/concerns/checks_show_authorization.rb b/lib/avo/concerns/checks_show_authorization.rb
@@ -0,0 +1,18 @@
+module Avo
+  module Concerns
+    module ChecksShowAuthorization
+      include Avo::Concerns::ChecksAssocAuthorization
+
+      extend ActiveSupport::Concern
+
+      def can_view?
+        return false if Avo.configuration.resource_default_view.edit?
+
+        return authorize_association_for(:show) if @reflection.present?
+
+        # Even if there's a @reflection object present, for show we're going to fallback to the original policy.
+        @resource.authorization.authorize_action(:show, raise_exception: false)
+      end
+    end
+  end
+end