Remove authorize_scope temporarily

goosys · goosys · commit ce182cf10520 · 2026-01-24T11:20:28.000Z
diff --git a/app/controllers/administrate/application_controller.rb b/app/controllers/administrate/application_controller.rb
@@ -5,14 +5,13 @@ class ApplicationController < ActionController::Base
     def index
       authorize_resource(resource_class)
       search_term = params[:search].to_s.strip
-      authorized_scope = authorize_scope(scoped_resource)
-      resources = filter_resources(authorized_scope, search_term: search_term)
+      resources = filter_resources(scoped_resource, search_term: search_term)
       resources = apply_collection_includes(resources)
       resources = order.apply(resources)
       resources = paginate_resources(resources)
       page = Administrate::Page::Collection.new(dashboard, order: order)
       page.context = self
-      filters = Administrate::Search.new(authorized_scope, dashboard, search_term).valid_filters
+      filters = Administrate::Search.new(scoped_resource, dashboard, search_term).valid_filters
 
       render locals: {
         resources: resources,
@@ -210,16 +209,7 @@ def requested_resource
     # @param param [ActiveSupport::Parameter]
     # @return [ActiveRecord::Base]
     def find_resource(param)
-      authorize_scope(scoped_resource).find(param)
-    end
-
-    # Override this if you want to authorize the scope.
-    # This will be used in all actions except for the `new` and `create` actions.
-    #
-    # @param scope [ActiveRecord::Relation]
-    # @return [ActiveRecord::Relation]
-    def authorize_scope(scope)
-      scope
+      scoped_resource.find(param)
     end
 
     # Override this if you have certain roles that require a subset.
diff --git a/app/controllers/concerns/administrate/punditize.rb b/app/controllers/concerns/administrate/punditize.rb
@@ -15,8 +15,8 @@ def policy_namespace
         []
       end
 
-      def authorize_scope(scope)
-        namespaced_scope = policy_namespace + [scope]
+      def scoped_resource
+        namespaced_scope = policy_namespace + [super]
         policy_scope!(pundit_user, namespaced_scope)
       end
 
diff --git a/docs/customizing_controller_actions.md b/docs/customizing_controller_actions.md
@@ -27,15 +27,7 @@ class Admin::FoosController < Admin::ApplicationController
   # This will be used to set the resource for the `show`, `edit`, `update` and `destroy` actions.
   #
   # def find_resource(param)
-  #   authorize_scope(scoped_resource).find_by!(slug: param)
-  # end
-
-  # Override this if you want to authorize the scope.
-  # This will be used in all actions except for the `new` and `create` actions.
-  #
-  # def authorize_scope(scope)
-  #   namespaced_scope = policy_namespace + [scope]
-  #   policy_scope!(pundit_user, namespaced_scope)
+  #   Foo.find_by!(slug: param)
   # end
 
   # Override this if you have certain roles that require a subset.
diff --git a/spec/controllers/admin/application_controller_spec.rb b/spec/controllers/admin/application_controller_spec.rb
@@ -111,7 +111,6 @@ def resource_resolver
 
     before do
       allow(controller).to receive(:find_resource).and_call_original
-      allow(controller).to receive(:authorize_scope).and_call_original
       allow(controller).to receive(:scoped_resource).with(no_args).and_call_original
       allow(controller).to receive(:authorize_resource).and_call_original
       allow(controller).to receive(:contextualize_resource).and_call_original
@@ -122,8 +121,7 @@ def resource_resolver
       it "passes all necessary authorization methods" do
         get :index, params: {}
         expect(controller).not_to have_received(:find_resource)
-        expect(controller).to have_received(:authorize_scope)
-        expect(controller).to have_received(:scoped_resource)
+        expect(controller).to have_received(:scoped_resource).exactly(2).times
         expect(controller).to have_received(:authorize_resource)
         expect(controller).not_to have_received(:contextualize_resource)
       end
@@ -133,7 +131,6 @@ def resource_resolver
       it "passes all necessary authorization methods" do
         get :new, params: {}
         expect(controller).not_to have_received(:find_resource)
-        expect(controller).not_to have_received(:authorize_scope)
         expect(controller).not_to have_received(:scoped_resource)
         expect(controller).to have_received(:authorize_resource)
         expect(controller).to have_received(:contextualize_resource)
@@ -145,7 +142,6 @@ def resource_resolver
         params = attributes_for(:order)
         post :create, params: {order: params}
         expect(controller).not_to have_received(:find_resource)
-        expect(controller).not_to have_received(:authorize_scope)
         expect(controller).not_to have_received(:scoped_resource)
         expect(controller).to have_received(:authorize_resource)
         expect(controller).to have_received(:contextualize_resource)
@@ -157,7 +153,6 @@ def resource_resolver
         order = create(:order)
         get :show, params: {id: order.to_param}
         expect(controller).to have_received(:find_resource)
-        expect(controller).to have_received(:authorize_scope)
         expect(controller).to have_received(:scoped_resource)
         expect(controller).to have_received(:authorize_resource)
         expect(controller).to have_received(:contextualize_resource)
@@ -169,7 +164,6 @@ def resource_resolver
         order = create(:order)
         get :edit, params: {id: order.to_param}
         expect(controller).to have_received(:find_resource)
-        expect(controller).to have_received(:authorize_scope)
         expect(controller).to have_received(:scoped_resource)
         expect(controller).to have_received(:authorize_resource)
         expect(controller).to have_received(:contextualize_resource)
@@ -181,7 +175,6 @@ def resource_resolver
         order = create(:order)
         put :update, params: {id: order.to_param, order: {address_zip: "666"}}
         expect(controller).to have_received(:find_resource)
-        expect(controller).to have_received(:authorize_scope)
         expect(controller).to have_received(:scoped_resource)
         expect(controller).to have_received(:authorize_resource)
         expect(controller).to have_received(:contextualize_resource)
@@ -193,7 +186,6 @@ def resource_resolver
         order = create(:order)
         delete :destroy, params: {id: order.to_param}
         expect(controller).to have_received(:find_resource)
-        expect(controller).to have_received(:authorize_scope)
         expect(controller).to have_received(:scoped_resource)
         expect(controller).to have_received(:authorize_resource)
         expect(controller).to have_received(:contextualize_resource)
