yup

we were planning on adding a "views" feature where you could further customize the way the data is queried and displayed

Nice.

Only got around to spinning up Avo today and wow! So far it's really neat.

🙏

Hey, I've got a avo pro licence and I've got some initial feedback/questions: - Authorisation ability appears to fail "open" even with a pro licence configured. This means I'm one config mistake from deploying an app with no authorisation. - Do Pundit scopes work? The following Policy returns all records on index despite honouring the actions EDIT: I can see it being used on associations but not the resource. e.g.

class ProfilePolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      scope.none
    end
  end
...

- Can the pro licence ignore the domain in development mode?

Hey @User Apologies for the delay. 1. I don't understand the question exactly. What do you mean

ability appears to fail "open"

2. Pundit scopes work if you have a pro license. I tested right now them and they work on both index and show. Are they not working on your end? 3. I don't understand

ignore the domain in development mode

? Are you getting any notices in development regarding the pro license? I want to cover all the bases here. Have you restarted the server after you applied the pro license like on the docs page? https://docs.avohq.io/1.0/licensing.html#add-the-license-key

1. ☠️ It would be safer to enforce authorization and error on invalid license vs ignore authorization all together. e.g. Pundit has some

after_action

methods to ensure its run e.g.

after_action :verify_authorized

and

verify_policy_scoped

. See https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used Looks like it only works with the controller methods so wont with the Avo service: https://github.com/varvet/pundit/blob/main/lib/pundit/authorization.rb#L65 2. ☠️ It doesn't appear to be working for the controller resource. Just the controller resource associations. I'll do some more testing. UPDATE:

BaseResource#query_scope

authorization service has no user and

apply_policy

has a guard statement:

return model if user.nil?

. It also has a

rescue 
  model
end

3. 💚 Fixed above thanks. Was just another config line redefining license.

1. The philosophy here is that I would like to allow for a "natural" development experience. Let's say you have an app already with some policies and want to try out Avo community. Enforcing the authorization could make you feel "trapped" to purchase the pro version, when you might not need it. There are plenty of users that only need the community version and might use the policies for the rest of the app.

That being said 👆 I agree that we should put in place better messaging around that. Maybe a banner that sais "Hey, we noticed you're trying to apply a policy and that's a pro feature..."

so everything is fixed (including 2.) by fixing the license configuration issue?

Hey guys, we need your help with something. There's this context issue that's been popping up and we don't know how to fix it. Maybe you can help? https://github.com/avo-hq/avo/issues/576

No. License issue fixed. Scope issue still. Policy scope not being applied because no user being passed in despite being logged in. Looks like a bug. The apply policy code looks dangerous. Could lead to information disclosure. Update:

Avo::Services::AuthorizationService.new Avo::App.current_user

in

BaseResource

returning nil. Not sure how it expected to be populated in class context. e.g.

@resource.authorization.apply_policy @query #works
@resource.class.query_scope # doesn't

If I add the following to the index action I get the expected behaviour:

@query = @resource.authorization.apply_policy @query

This appears to be a major bug in authorization.

Looking at the dummy app it might be something with

config.current_user_method

.

@User have you configured your

current_user_method

in your initializer?

what it your authentication provider? are you using devise or something else?

I just tested the feature myself and authorization works

if you're using devise, you should add this line in your

avo.rb

initializer

config.current_user_method = :current_user

this way Avo knows how to fetch the

current_user

we also added extended instructions on the installation page regarding setting up authentication

hey @User if that doesn't work 👆 let's jump on a call and see what the issue is. if it's a bug on our end we certainly want to fix it

I'm using omni-auth + amazon cognito. This bit of Avo code caused most of the issues:

def apply_policy(user, model)
          return model if skip_authorization
          return model if user.nil?

          begin
            Pundit.policy_scope! user, model
          rescue
            model
          end
        end

It was throwing an exception as per the Pundit docs e.g.

raise Pundit::NotAuthorizedError, "must be logged in" unless user

and Avo unscopes the collection.

e.g.

return model if user.nil? # no security

begin
  # security
rescue
  # no security
end

There was an issue with current user in some contexts. Rescuing exceptions like the above make it difficult to detect misconfiguration. I'm using a block:

config.current_user_method do
    User.find(session[:user_id]) if session[:user_id]
  end

Hello, guys, i am facing problems with an uncountable model again, now is on search. Is this same problem (https://github.com/avo-hq/avo/issues/524) in this issue but now on search. In this line:

erb
#/app/components/avo/views/resource_index_component.html.erb
<%= render partial: 'avo/partials/resource_search', locals: {resource: @resource.route_key} if @resource.search_query.present? %>

@resource.route_key returns library_media_index in my case, and i guess should return library_media If a change this to @resource.model_class.model_name.plural it works. Use route_key is this case is necessary?

Hey

What is the model name?

Rail and avo should handle that well

Library::Media