Policy lookup for authorized_scope returns default policy instead of using implicit authorization target about action_policy HOT 3 OPEN

Thanks for the detailed report!

I think the first policy lookup could be done with default: nil to ensure it doesn't fallback on the default policy in the first lookup attempt, but only in the second call. But I am not sure this would not break other expected behaviour in other use cases.

Yeah, that would change the order of lookup 🤔 But only for scopes (in #authorize! and #allowed_to? we already fallback to the implicit target if no record is specified).

I think, we can safely update the current behaviour and add a configuration option to opt-in to it (and make it the default in v1.0).

from action_policy.

Hi @palkan. I'm trying to understand the situation and helping. Correct me if I'm thinking wrong. I have 3 tables in DB: users, posts, drafts.

class ApplicationPolicy < ActionPolicy::Base
  scope_for :data do |data|
    return data
  end

  def default_authorization_policy_class
    DefaultPolicy
  end
end

class DefaultPolicy < ApplicationPolicy
  relation_scope do |relation|
    return relation if user.admin?
    relation.where(user: user)
  end
end

class PostPolicy < DefaultPolicy
end

class UserPolicy < ApplicationPolicy
  relation_scope do |relation|
    return relation if user.admin?
    relation.where(id: user.id)
  end
end

policy = PostPolicy.new(user: admin)
policy.authorized_scope(Post.all) # => Post.all
policy.authorized_scope(User.all) # => User.all
policy.authorized_scope(Draft.all) # => Draft.all (working via #default_authorization_policy_class)
policy.authorized_scope("Test", type: :data) # => "Test"

This is expected behavior, right?

from action_policy.

Yes, in this case, the policy class for Draft.all is coming from the #default_authorization_policy_class and that's an expected behaviour.

P.S. I've set up an online reproduction playground: https://runruby.dev/?gist=2389f6d70c53c308012adec8a5f32053

from action_policy.