app/controllers/administrate/application_controller.rb in administrate-0.8.1 vs app/controllers/administrate/application_controller.rb in administrate-0.9.0

@@ -25,12 +25,14 @@
         page: Administrate::Page::Show.new(dashboard, requested_resource),
       }
     end
 
     def new
+      resource = resource_class.new
+      authorize_resource(resource)
       render locals: {
-        page: Administrate::Page::Form.new(dashboard, resource_class.new),
+        page: Administrate::Page::Form.new(dashboard, resource),
       }
     end
 
     def edit
       render locals: {
@@ -38,10 +40,11 @@
       }
     end
 
     def create
       resource = resource_class.new(resource_params)
+      authorize_resource(resource)
 
       if resource.save
         redirect_to(
           [namespace, resource],
           notice: translate_with_resource("create.success"),
@@ -101,11 +104,13 @@
     def dashboard
       @_dashboard ||= dashboard_class.new
     end
 
     def requested_resource
-      @_requested_resource ||= find_resource(params[:id])
+      @_requested_resource ||= find_resource(params[:id]).tap do |resource|
+        authorize_resource(resource)
+      end
     end
 
     def find_resource(param)
       scoped_resource.find(param)
     end
@@ -118,13 +123,26 @@
       dashboard.association_includes
     end
 
     def resource_params
       params.require(resource_class.model_name.param_key).
-        permit(dashboard.permitted_attributes)
+        permit(dashboard.permitted_attributes).
+        transform_values { |v| read_param_value(v) }
     end
 
+    def read_param_value(data)
+      if data.is_a?(ActionController::Parameters) && data[:type]
+        if data[:type] == Administrate::Field::Polymorphic.to_s
+          GlobalID::Locator.locate(data[:value])
+        else
+          raise "Unrecognised param data: #{data.inspect}"
+        end
+      else
+        data
+      end
+    end
+
     delegate :dashboard_class, :resource_class, :resource_name, :namespace,
       to: :resource_resolver
     helper_method :namespace
     helper_method :resource_name
 
@@ -142,8 +160,22 @@
 
     def show_search_bar?
       dashboard.attribute_types_for(
         dashboard.collection_attributes
       ).any? { |_name, attribute| attribute.searchable? }
+    end
+
+    def show_action?(action, resource)
+      true
+    end
+    helper_method :show_action?
+
+    def new_resource
+      resource_class.new
+    end
+    helper_method :new_resource
+
+    def authorize_resource(resource)
+      resource
     end
   end
 end