belongs_to field does not use show_action? to control if link should be rendered

[carlost]

• What were you trying to do?

Wire in authorization checks into administrate, following the guide. Unfortunately, the app/views/fields/belongs_to/_show.html.erb template for belongs_to does not leverage #show_action? to determine if the link should be rendered:

https://github.com/thoughtbot/administrate/blob/e1baea3e63cdec65774f1b0084ced5c4138f99a0/app/views/fields/belongs_to/_show.html.erb#L18-L27

It checks #valid_action? to see if the action for the resource is "valid", which I interpret as meaning: is the action supported. However, the template does not also check #show_action? prior to rendering the link.

Compare that with how app/views/administrate/application/_collection.html.erb uses both #valid_action? and #show_action? to determine if a link should be rendered.

https://github.com/thoughtbot/administrate/blob/e1baea3e63cdec65774f1b0084ced5c4138f99a0/app/views/administrate/application/_collection.html.erb#L77-L83

• What did you end up with (logs, or, even better, example apps are great!)?

Administrate is generated links to actions that user's are not authorized to follow. If users see a link ... they will click a link.

• What versions are you running?
  • Rails: 6.1.3.2
  • administrate: 0.16.0
  • ruby: 2.7.3p183

Is this behavior by design? Should i be overriding both valid_action? and show_action? to handle authorization?

[pablobm]

Thank you @carlost. Yeah, there are a few places where this happens, and I'm currently working on something to fix it more cleanly (https://github.com/thoughtbot/administrate/pull/1941). Having said that, my changes may still take a while to come, so perhaps you could create a PR that fixes it for BelongsTo for the time being?

[jubilee2]

might fixed in #1941

[pablobm]

Indeed, it should be fixed now. Closing, but let me know if this is not the case.