Ability to default association authorizations to false rather than true

[segiddins]

Currently, authorization around associations defaults to true if you don't define the relevant method on the policy.

(e.g. you have a Rubygem resource with field :versions, as: :has_many, on RubygemPolicy if you don't define a {destroy,create,show,view,etc}_versions? then Avo will default to those being true, instead of the expected false when raise_error_on_missing_policy = true)

I've attempted to make this safer by adding a test that all association policy methods are defined, but I'd love to be able to have Avo "fail closed" when a policy method isn't implemented.

[adrianthedev]

Yes. The issue is here.

I had this discussion before with a few other folks, and I agree with your suggestion.

One of the ideas of Avo is to have a low barrier of entry and the least amount of friction possible when you get started. That's why we default to this "loose" way of doing things (default to true instead of false), but it's messy when you start to add more resources, and authorization is essential.

We should probably have an "implicit authorization" setting that would enable raise_error_on_missing_policy and the guards you presented.

I'm inclined to add it to the roadmap for Avo 3, so we start fresh with it. Otherwise, it's a breaking change for everyone. They will soon start to see things disappearing from their pages.

Do you agree with this approach?

[segiddins]

Yeah that makes sense. In the meantime I might monkey-patch that method to change the default, do you think I'd run into any issues doing that?

[adrianthedev]

Well, you know how it is with monkey-patching. Generally, you shouldn't have a problem, but be on the lookout when updating to Avo 3.

[icaroryan]

Hey there, is there another way to do this already? I was wondering the same thing when I had four association authorizations set to false

[adrianthedev]

Good news everyone.
We are tackling this to be the default in new apps (old apps can opt-in) and make it the default in Avo 4.

#3292

[adrianthedev]

Closing for now. Let's keep the conversation going on the PR.
Thanks for all the feedback ❤️