Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Nested resources: breadcrumbs are links even if user doesn't have #show permission#8734

vfonic started this conversation inIdeas
Discussion options

I've noticed that, with nested resources, the breadcrumbs are being generated with links to #show page of the parent resource, even if the current user is not authorized to show/edit the parent resource.

This is where the issue starts:
https://github.com/activeadmin/activeadmin/blob/master/app/views/active_admin/_page_header.html.erb#L3
https://github.com/activeadmin/activeadmin/blob/master/app/helpers/active_admin/breadcrumb_helper.rb#L7

and here's where the bug is:

# Don't create a link if the resource's show action is disabled
if !config ||config.defined_actions.include?(:show)
link_toname,"/" +parts[0..index].join("/"),html_options
else

It checks if#show action is defined, but not whether current user is authorized to perform#show action.

It also doesn't consider the case that's used in other places where#show action is automatically replaced by#edit action when current user is not authorized to perform#show, but is authorized to perform#edit.

You must be logged in to vote

Replies: 3 comments

Comment options

I don't consider this a bug. For example, consider an action item (which likely contains a link) can still be displayed even if the user doesn't have access. Although it can be supplied a hook (if block) to control whether it's rendered or not. The policy should prevent not the display of the link but an unauthorized user from loading the page. If you click the link as an unauthorized user, does the page still load?

You must be logged in to vote
0 replies
Comment options

I thought the default behavior was either to hide the link completely like it's the case with "Edit"/"Destroy" buttons etc.

...or, in case ofauto_link method: it shows the link when user is authorized to show/edit the resource, or it shows plain text.
I think this would make most sense for breadcrumbs.

In my project, users can manage sub-resources, to which they get from parent#index page. They don't have access to parent#show nor parent#edit.

Does that make sense?

PS the page doesn't load. It fails authorization.

You must be logged in to vote
0 replies
Comment options

it shows plain text.

I like this idea

You must be logged in to vote
0 replies
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
Ideas
Labels
None yet
3 participants
@vfonic@javierjulio@aalyahya
Converted from issue

This discussion was converted from issue #8729 on June 01, 2025 00:12.

[8]ページ先頭
©2009-2025 Movatter.jp