Unexpected policy_class behavior in SearchController

[jeffomiecinski]

Describe the bug

During resource authorization in the SearchController, a policy_class kwarg is passed to the AuthorizationService authorize_action method in order to support validating a resource's custom policy_class.

avo/app/controllers/avo/search_controller.rb

Lines 27 to 35 in 428b13f

	def search_results(resources, request: nil)
	resources
	.map do |resource|
	# Apply authorization
	next unless @authorization.set_record(resource.model_class).authorize_action(
	:search,
	policy_class: resource.authorization_policy,
	raise_exception: false
	)

The Avo Pro AuthorizationService already has a default policy class set from the authorization client which typically gets used. However, because the authorize_action method passes along all **args to the class.authorization_action method, the resource.authorization_policy always gets used even if it's nil. (avo/pro/authorization/authorization_service.rb:136)

Is this intended behavior or should there be a null check before overriding the policy_class kwarg passed to class.authorize_action?

Steps to use in the reproduction repository

We are not using Pundit, instead a custom authorization client, but I assume these steps should work. Sorry they are a little vague--I hope my explanation and root cause above is clear enough to demonstrate the issue without even running the app.

(Potential) Steps to reproduce the behavior:

1. Create two resources, where one is a has_many relationship of the other so that the "Attach" index_control will appear.
2. Make the child resource searchable with ransack.
3. Define a pundit policy for the resources so that Pundit.policy(user, record) would return a policy for any of the objects.
4. Do not set self.authorization_policy on the resources.
5. Attempt to attach a child object to the parent and search for an item.

Expected behavior & Actual behavior

Expected: When the resource does not have a custom policy value set, the inferred policy_class is applied.

Actual: The policy_class passed to Pundit will be nil instead of the inferred policy_class that is usually used. In our case this causes authorization to fail and no results to appear in search.

Note that this behavior appears specific to searching while attaching an item. Global search does not appear affected, but I didn't diagnose why.

System configuration

Avo version: 3.2.4

Rails version: 7.2.2.2

Ruby version: 3.4.4

License type:

• Community
• Pro
• Advanced

Are you using Avo monkey patches, overriding views or view components?

• Yes. If so, please post code samples.
• No

Impact

• High impact (It makes my app un-usable.)
• Medium impact (I'm annoyed, but I'll live.)
• Low impact (It's really a tiny thing that I could live with.)

Urgency

• High urgency (I can't continue development without it.)
• Medium urgency (I found a workaround, but I'd love to have it fixed.)
• Low urgency (It can wait. I just wanted you to know about it.)

[linear]

AVO-790 Unexpected policy_class behavior in SearchController

[Paul-Bob]

Hi @jeffomiecinski,

Thanks for submitting this issue. Could you please set up the context you’re describing in a minimal reproduction repository? We have docs on how to do this: https://docs.avohq.io/3.0/technical-support.html#reproduction-repository, and it should only take a couple of minutes. Since you know exactly how to reproduce the issue, it would be really helpful if I could just run the app and jump straight to the problem.

Thank you!

[github-actions]

This issue has been marked as stale because there was no activity for the past 15 days.