File upload authorization shouldn't apply to actions

[aburgel]

Describe the bug

We ran into an issue where we lost permissions to upload files on an action because of a change in one of our policies. It was surprising that the upload_{field}? permission applies to actions. The documentation doesn't mention this. Actions aren't necessarily 1 to 1 with a resource, they seem purposefully design to work with multiple kinds of resources. Plus none of the other permissions apply to the action itself. (Yes, act_on? determines whether you can use the action, but that controls behavior on the resource itself, not within the action.)

Steps to reproduce

1. Create a resource with an authorization policy that doesn't allow upload_file?
2. Create an action with a file upload field named file
3. Open the action and observe that you cannot upload a file

Expected behavior & Actual behavior

Expected behavior is that authorization policies don't apply within an action (just to the resource that invokes the action).

Actual behavior is to hide the upload field if the outer resource authorization policy doesn't allow upload_{field}?

System configuration

Avo version: 3.26.1

Rails version: 8.0.1

Ruby version: 3.4.7

License type:

• Community
• Pro
• Advanced

Are you using Avo monkey patches, overriding views or view components?

• Yes. If so, please post code samples.
• No

Screenshots or screen recordings

Additional context

Impact

• High impact (It makes my app un-usable.)
• Medium impact (I'm annoyed, but I'll live.)
• Low impact (It's really a tiny thing that I could live with.)

Urgency

• High urgency (I can't continue development without it.)
• Medium urgency (I found a workaround, but I'd love to have it fixed.)
• Low urgency (It can wait. I just wanted you to know about it.)

[linear]

AVO-846

[Paul-Bob]

Hi @aburgel

We ran into an issue where we lost permissions to upload files on an action because of a change in one of our policies. It was surprising that the upload_{field}? permission applies to actions.

Could you explain the use case a bit more? In your case, you want the file field to disallow uploads on the resource form but allow them when running an action on the same field id?

---

The documentation doesn't mention this.

Both documentation pages, file field and authorization, mention this behavior:

https://docs.avohq.io/3.0/fields/files.html#authorization
https://docs.avohq.io/3.0/authorization.html#attachments

---

I understand your point. Actions and most Avo features have evolved to support multiple use cases. Authorization for file fields on both resources and actions was added around version 2.28 and has been documented since then.

Let me know if this behavior is restricting you from achieving something. I'm here to help you work around it or even merge a PR if we find it necessary

[aburgel]

Could you explain the use case a bit more? In your case, you want the file field to disallow uploads on the resource form but allow them when running an action on the same field id?

In my case, I have a bulk create feature that allows users to upload a CSV that will create records of a particular resource type. The resource itself doesn't have any files, only the action does for the CSV file. In this case, the action has a field called file. So to make that field appear, I have to allow upload_file? on the resource. The resource itself has no field called file so it feels a bit odd to have that permission defined on the resource policy.

In fact, that's what caused this issue to surface, we were auditing our policies and noticed that there was this permission for a field that didn't exist on the resource, so we removed it, not realizing that it applied to the action.

We have a few other similar cases where we use actions to do things that are related to a resource but don't have the exact same fields of the resource.

---

Both documentation pages, file field and authorization, mention this behavior.

Sort of? I agree that the documentation says these permissions apply to fields and I know that fields are used on actions, but it's not at all clear that the policy of the resource that triggers the action is applied to the action itself (yes, I get that act_on? applies but that occurs within the context of the resource to determine whether to show actions, not what happens when you actually show/execute an action). It's also only the upload permissions that apply to the action itself, nothing else about the policy is in effect (AFAIK).

Also, there is a separate way to authorize actions that don't mention policies.

---

In terms of a fix, IMHO, given that you have act_on? and Action.authorize, I feel like that is sufficient levels of control that you don't need another layer just for file uploads in actions, so I would just not check that permission there. If there is a use case for this additional layer, I would consider naming it something specific to actions upload_in_action_{action_name}?, so it's obvious when it applies. (Again IMHO), it seems fairly niche to me to need multiple file uploads in an action each with their own permission logic, and I think there are probably ways to solve this without using a policy.

[aburgel]

FWIW, our workaround was to add this to our base policy class:

def upload_file?
    Avo::Current.params["controller"] == "avo/actions"
end

As a matter of convention, we usually call file upload fields in actions file, so this blanket policy makes things work as expected without each resource-specific policy having to opt in.

[github-actions]

This issue has been marked as stale because there was no activity for the past 15 days.