valid_actions? doesn't work for has_many relations

Created by: getaaron

• What were you trying to do?

I have a handful of Roles in my db like Administrator, Author, etc. A User has_many Roles.

I don't want users of the admin page to be able to destroy or edit roles, just view them. So I followed the instructions on https://github.com/thoughtbot/administrate/blob/main/docs/customizing_controller_actions.md#customizing-actions and added this to the roles controller:

  class RolesController < Admin::ApplicationController
    def valid_action?(name, resource = resource_class)
      %w[edit destroy].exclude?(name.to_s) && super
    end

I expected this to remove the edit and destroy buttons.

• What did you end up with (logs, or, even better, example apps are great!)?

Indeed, on the Roles page, the edit button is now gone.

However, on the Users dashboard page, I can still see Edit and Destroy buttons:

And they work, which unfortunately I think means that both:

1. the view code needs to be updated for the has_many table
2. the controller is not validating valid_action? — it's a frontend check only, which is a security concern

• What versions are you running?
  • Rails 5.0.7.2
  • administrate 9e462f71 (latest on main, also reproduces with 0.16.0 release)