Re-add object-level auth to Spree::Admin::ResourceController

2026-03-19 04:49:15 +00:00 · 2016-05-20 16:26:54 +10:00
parent 1497d2c3bb
commit 257441c9be
1 changed files with 16 additions and 0 deletions
--- a/app/controllers/spree/admin/resource_controller_decorator.rb
+++ b/app/controllers/spree/admin/resource_controller_decorator.rb
@@ -0,0 +1,16 @@
+module AuthorizeOnLoadResource
+  def load_resource
+    super
+
+    if member_action?
+      # If we don't have access, clear the object
+      unless can? action, @object
+        instance_variable_set("@#{object_name}", nil)
+      end
+
+      authorize! action, @object
+    end
+  end
+end
+
+Spree::Admin::ResourceController.send(:prepend, AuthorizeOnLoadResource)