Activeadmin: CanCan permissions scheme for Batch Actions

Created on 11 Jan 2014  路  3Comments  路  Source: activeadmin/activeadmin

Inspired by #2486, we should have a permissions scheme for Batch Actions that's similar to the way that the native CanCan verbs work:

@killthekitten I'd like to see two things:

  1. a catch-all authorization scope, :run_batch_actions
  2. dynamic authorization checking done automatically by Active Admin
# So you'd have these two by default:
can :run_batch_actions
cannot :batch_destroy
# With any number of dynamic ones built from the batch actions you register:
can :batch_tag
cannot :batch_flag

Where both the catch-all scope and the dynamically named scope would be checked.

feature help wanted
Source
picture seanlinsley

Most helpful comment

Same for pundit

picture timoschilling on 30 Jan 2016
👍5

All 3 comments

Same for pundit

timoschilling picture timoschilling on 30 Jan 2016
👍5

does it support now?

rabinpoudyal picture rabinpoudyal on 21 Apr 2020

My solution/workaround:

ActiveAdmin.register Post do
  extend BatchDestroy
end

# app/admin/concerns/batch_destroy.rb
module BatchDestroy
  def self.extended(base)
    base.instance_eval do

      destroy_options = {
        label: I18n.t("active_admin.delete"),
        priority: 100,
        confirm: proc { I18n.t("active_admin.batch_actions.delete_confirmation", plural_model: active_admin_config.plural_resource_label.downcase) },
        if: proc { controller.action_methods.include?("destroy") && authorized?(ActiveAdmin::Auth::DESTROY, active_admin_config.resource_class) }
      }

      batch_action :destroy, destroy_options do |selected_ids|
        if authorized? :batch_destroy, resource_class
          resource_class.find(selected_ids).each do |record|
            authorize! ActiveAdmin::Auth::DESTROY, record
            destroy_resource(record)
          end

          redirect_to active_admin_config.route_collection_path(params),
                      notice: I18n.t(
                        "active_admin.batch_actions.succesfully_destroyed",
                        count: selected_ids.count,
                        model: active_admin_config.resource_label.downcase,
                        plural_model: active_admin_config.plural_resource_label(count: selected_ids.count).downcase)
        else
          redirect_to active_admin_config.route_collection_path(params),
                      notice: I18n.t( "active_admin.access_denied.message" )
        end
      end

    end
  end
end

This overrides the existing batch action added from: https://github.com/activeadmin/activeadmin/blob/master/lib/active_admin/batch_actions/resource_extension.rb#L57-L77

If someone wants to update the original. It's just missing if authorized? :batch_destroy, resource_class. As for other actions just implement your own authorized? wrapping in your batch_action

RobertLowe picture RobertLowe on 13 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dheerajk3 picture dheerajk3  路  3Comments
zhdwwf picture zhdwwf  路  4Comments
kaspernj picture kaspernj  路  3Comments
therealx picture therealx  路  3Comments
Awatatah picture Awatatah  路  3Comments