Working with Pundit, I was seeing this index page:
That was supposed to be 4 records, but they were showing as empty rows. Instead I was expecting to see the following:
The issue was that the Pundit scope for the model was returning those records, but the per-resource policy was returning false for show? on each one of them.
This is a bit of an edge case: if the user can't see the resources, surely the scope shouldn't be returning them. Still I can think of a use case where some users can see them listed (with limited information) but can't access the show page (with additional information). In any case, Pundit allows for this, and I think this behaviour is a bug.
The fix itself is just in app/views/administrate/application/_collection.html.erb. Apart from that, this PR is mostly me figuring out a way to test this in a disposable way that doesn't affect other specs.
"Mostly", because there's one more thing. While working with this, I came across the tabindex settings on the index page. As they stand at the moment, each row is tabbable, as well as each individual cell inside each row. I understand this is because these are links, but it strikes me as very annoying to navigate. On the example above, you need to tab 5 times per row, and you get the same link for all 5 positions. I don't think this is the way tabindex is supposed to be used.
The reason I made this other change is because it's related: when applying the authorization fix, I had to also make rows tabbable only if they had a link. While changing this, I noticed the other behaviour.
Can someone who knows more about accessibility than me confirm all this?