authorize global search results #285
Conversation
| authorize_records(records) | ||
| end | ||
|
|
||
| def authorize_records(records) |
There was a problem hiding this comment.
@jasonfine I have some performance concerns with this method since we're looking up the authorization from the model per record. Since we're already looping through models via all_models, what if we filtered that down to authorized_models? I think that would drastically cut down on the Fae::Authorization.access_map look ups. What do you think?
There was a problem hiding this comment.
that's originally the route i went with this, then realized it doesn't work for situations where users are limited from seeing arbitrary fae::pages, ill take another look in the AM and see what might be possible here
| @@ -34,4 +34,34 @@ | |||
| end | |||
| end | |||
|
|
|||
| # see dummy app's authorization concern for auth mapping used here | |||
| scenario "search results get authorized", js: true do | |||
There was a problem hiding this comment.
ok moved all this to work on all_models, i didn't realize it was already working on pages because the static items in the global search are built from the already-authorized nav structure. win-win
ended up having to put the auth check on the
recordsset instead of trying to do it on theall_modelscollection because it won't work with content blocks on that level.