|
544 | 544 | ## Rolify integration |
545 | 545 |
|
546 | 546 | Check out [this guide](guides/rolify-integration.md) to add rolify role management with Avo. |
| 547 | + |
| 548 | +<Option name="`implicit_authorization`"> |
| 549 | + |
| 550 | +<VersionReq version="3.13.4" /> |
| 551 | + |
| 552 | + This option gives you control over how missing policy classes or methods are handled during authorization checks in your Avo application. |
| 553 | + |
| 554 | +### Possible values |
| 555 | + |
| 556 | +**`true`** |
| 557 | + - If a policy class or method is **missing** for a given resource or action, that action will automatically be considered **unauthorized**. |
| 558 | + - This behavior enhances security by ensuring that any unconfigured or unhandled actions are denied by default. |
| 559 | + |
| 560 | +**`false`** |
| 561 | + - If a policy class or method is **missing**, the action will be considered **authorized** by default. |
| 562 | + |
| 563 | +### Default |
| 564 | + |
| 565 | +- For **new applications** (starting from Avo `3.13.4`) the default value for `implicit_authorization` is `true`. This provides a more secure out-of-the-box experience by ensuring actions without explicit authorization are denied. |
| 566 | + |
| 567 | +- For **existing applications** upgrading to `3.13.4` or later the default value for `implicit_authorization` remains `false` to preserve backward compatibility. Existing applications will retain the permissive behavior unless explicitly changed. |
| 568 | + |
| 569 | +### Configuration: |
| 570 | + |
| 571 | +You can configure this setting in your `config/avo.rb` file: |
| 572 | + |
| 573 | +```ruby{4} |
| 574 | +Avo.configure do |config| |
| 575 | + # Set to true to deny access when policies or methods are missing |
| 576 | + # Set to false to allow access when policies or methods are missing |
| 577 | + config.implicit_authorization = true |
| 578 | +end |
| 579 | +``` |
| 580 | + |
| 581 | +### Examples: |
| 582 | + |
| 583 | +1. **When `implicit_authorization` is `true`** |
| 584 | + - **Scenario**: You have a `Post` resource, but there is no policy class defined for it. |
| 585 | + - **Result**: All actions for the `Post` resource (index, show, create, etc.) will be **unauthorized** unless you explicitly define a policy class and methods for those actions. |
| 586 | + |
| 587 | + --- |
| 588 | + - **Scenario**: You have a `Post` resource, and the policy class defined for it only defines the `show?` method. |
| 589 | + |
| 590 | + ```ruby |
| 591 | + class PostPolicy < ApplicationPolicy |
| 592 | + def show? |
| 593 | + user.admin? |
| 594 | + end |
| 595 | + end |
| 596 | + ``` |
| 597 | + - **Result**: In this case, since the `PostPolicy` lacks an `index?` method, attempting to access the `index` action will be denied by default. |
| 598 | + |
| 599 | +2. **When `implicit_authorization: false`** |
| 600 | + - **Scenario**: Same `Post` resource without a policy class. |
| 601 | + - **Result**: All actions for the `Post` resource will be **authorized** even though there are no explicit policy methods. This could expose unintended behavior, as any unprotected action will be accessible. |
| 602 | + |
| 603 | + --- |
| 604 | + |
| 605 | + - **Scenario**: You have a `Post` resource, and the policy class defined for it only defines the `show?` method. |
| 606 | + ```ruby |
| 607 | + class PostPolicy < ApplicationPolicy |
| 608 | + def show? |
| 609 | + user.admin? |
| 610 | + end |
| 611 | + end |
| 612 | + ``` |
| 613 | + - **Result**: In this case, missing methods like `index?` will allow access to the `index` action by default. |
| 614 | + |
| 615 | + |
| 616 | +### Migration Recommendations: |
| 617 | + |
| 618 | +- **For applications after from Avo `3.13.4`** |
| 619 | + |
| 620 | + It is recommended to leave `implicit_authorization` set to `true`, ensuring all actions must be explicitly authorized to prevent unintentional access. |
| 621 | + |
| 622 | +- **For applications before from Avo `3.13.4`** |
| 623 | + |
| 624 | + - If upgrading from an earlier version, carefully review your policies before enabling `implicit_authorization`. Missing policy methods that were previously allowing access will now deny access unless explicitly defined. |
| 625 | + |
| 626 | + - It’s recommended to disable [`raise_error_on_missing_policy`](authorization.html#raise-errors-when-policies-are-missing) in production, though it's not mandatory. When `implicit_authorization` is set to `true`, the default behavior is to deny access for actions without a defined policy. In this case, it’s often better to show an unauthorized message to users rather than raise an error. However, keeping [`raise_error_on_missing_policy`](authorization.html#raise-errors-when-policies-are-missing) enabled in development can be helpful for identifying missing policy classes. |
| 627 | +</Option> |
0 commit comments