Did you find a bug?

filter values doesn't use policy scopes.

I understand there is a manual way to scope values of a filter, but as a collection of any resources indexes are by default scoped by the policy adapter (when there is one), so should be filter values, it can lead to a serious data breach.

I am even surprised to found nothing on the internet about that

Another possibility is that I am missing something?

Expected behavior

On the user index page, In the filter "company", I should only see my own company

Actual behavior

I see all companies

How to reproduce

class Company < ApplicationModel
  has_many :users
  has_many :admin_users
end

class AdminUser < ApplicationModel
  # my actual active_admin / devise user, the one that log into the portal
end

class User < ApplicaitonModel
  belongs_to :company
end

ActiveAdmin.register(User) {} # on this page, I have a company filter, I can try to filter by any company (I see all existing companies)