Bug: Front end renders Delete Selected, Restore Selected, Force Delete Selected regardless of Policy and/or resource Authorization Setting #6831
Description
- Laravel Version: 11.38.2
- Nova Version: 5.2.7
- PHP Version: 8.3.1
- Database Driver & Version: MYSQL 8.0
- Operating System and Version: Ubuntu 22.04
Description:
When all resources are selected the trash can icon appears providing options to delete, restore, and force delete selected even when Policy or Resource explicitly disallow.
Previous Reports:
As communicated in the past before closing previous bug reports, there is concern about hydrating many model instances (each model is checked individually).
This issue is not new, however has been ignored repeatedly (not exhaustive):
- Trashcan appears when selecting all even though policy has delete false #6524
- Delete Button appears on after "Select All" checkbox is selected, even in Resources where the Policy does not allow to delete #6049
- Selected all checkbox allow to force delete all resourses. #5780
- Incorrect Deletion Behavior when Using "Select All Filtered" in Laravel Nova Entity List #5673
- Force deletion visual bug #4723
- Select All Matching will show delete button #3105
- Don't show the delete button when clicking "Select all matching" #3089
- Force delete is possible when selecting 'all matching' records, even if underlying policy returns false for force delete #2429
- Delete action is showing on index even with policy #2204
- Remove "Select All Matching" #1095
Still a Bug:
Performance considerations not-withstanding this is a bug, a button that should not be mounted is mounted and the user is left confused to why their intentional action is "not working".
Suggest Go-Forward:
A. Introduce a resource level policy check e.g. canDeleteAny(User $user): false - If present in policy short circuit the check (before model hydration)
B. Introduce a Resource property to disable the select all button