add implicit_authorization to upgrade page & add proc possible valu…

…e for `implicit_authorization`
avo-hq · Oct 14, 2024 · 6706c60 · 6706c60
1 parent 7e2fa0e
commit 6706c60
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/docs/3.0/authorization.md b/docs/3.0/authorization.md
@@ -560,6 +560,18 @@ Check out [this guide](guides/rolify-integration.md) to add rolify role manageme
 **`false`**
   - If a policy class or method is **missing**, the action will be considered **authorized** by default.
 
+**`Proc`**
+  - You can also set `implicit_authorization` as a `Proc` to apply custom logic. Within this block, you gain access to all attributes of [`Avo::ExecutionContext`](execution-context)
+
+    For example:
+
+    ```ruby
+    config.implicit_authorization = -> {
+      current_user.access_to_admin_panel? && !current_user.admin?
+    }
+    ```
+
+    In this case, missing policies will be handled based on the condition: if the user has access to the admin panel but isn't an admin, the `implicit_authorization` will be enabled. This option allows you to customize authorization decisions based on the context of the current user or other factors.
 ### Default
 
 - For **new applications** (starting from Avo `3.13.4`) the default value for `implicit_authorization` is `true`. This provides a more secure out-of-the-box experience by ensuring actions without explicit authorization are denied.

diff --git a/docs/3.0/upgrade.md b/docs/3.0/upgrade.md
@@ -4,6 +4,18 @@ We'll update this page when we release new Avo 3 versions.
 
 If you're looking for the Avo 2 to Avo 3 upgrade guide, please visit [the dedicated page](./avo-2-avo-3-upgrade).
 
+## Upgrade from 3.13.3 to 3.13.4
+
+<Option name="`implicit_authorization`">
+
+We’ve introduced the [`implicit_authorization`](authorization.html#implicit_authorization) configuration option to enhance the security of your applications. This option allows you to define how missing policy classes or methods are handled. When set to `true`, any action without an explicitly defined policy will automatically be denied, ensuring that unprotected actions are not unintentionally accessible. This new behavior offers a more secure approach for authorization.
+
+For new applications, [`implicit_authorization`](authorization.html#implicit_authorization) is enabled by default, but existing applications will retain the legacy behavior (`false`), allowing missing policies or methods to authorize actions. We encourage you to adopt this new setting by enabling [`implicit_authorization`](authorization.html#implicit_authorization), as it provides greater control over your authorization flow and reduces the risk of unauthorized access due to missing policies. Before enabling it, be sure to review your policy classes to ensure all necessary methods are defined, preventing any unintended access restrictions.
+
+We highly recommend taking a moment to read through the entire [`implicit_authorization`](authorization.html#implicit_authorization) documentation section before making any changes. Understanding this feature is crucial to ensuring your application's security and functionality, so don’t skip it!
+</Option>
+
+
 ## Upgrade from 3.11.7 to 3.11.8
 <Option name="Dynamic filters query">