fix: don't check action's authorization on render if visible return…

… false (#3628) * fix: don't check action's authorization on render if `visible` returns false * lint
avo-hq · Jan 31, 2025 · c717dce · c717dce
1 parent 10610fb
commit c717dce
Showing 1 changed file with 8 additions and 13 deletions.
diff --git a/lib/avo/base_action.rb b/lib/avo/base_action.rb
@@ -10,7 +10,13 @@ class BaseAction
     class_attribute :cancel_button_label
     class_attribute :no_confirmation, default: false
     class_attribute :standalone, default: false
-    class_attribute :visible
+    class_attribute :visible, default: -> {
+      # Hide on the :new view by default
+      return false if view.new?
+
+      # Show on all other views
+      true
+    }
     class_attribute :may_download_file
     class_attribute :turbo
     class_attribute :authorize, default: true
@@ -207,25 +213,14 @@ def handle_action(**args)
     end
 
     def visible_in_view(parent_resource: nil)
-      return false unless authorized?
-
-      if visible.blank?
-        # Hide on the :new view by default
-        return false if view.new?
-
-        # Show on all other views
-        return true
-      end
-
-      # Run the visible block if available
       Avo::ExecutionContext.new(
         target: visible,
         params: params,
         parent_resource: parent_resource,
         resource: @resource,
         view: @view,
         arguments: arguments
-      ).handle
+      ).handle && authorized?
     end
 
     def succeed(text)