AE
Ash Elixir3y ago
Blibs

Why my policy is always blocking the function call?

I want to add a policy to only accept calling the confirm (ash authentication email confirmation action) action when the actor confirmed_at is nil. To do that, I added: 
  policies do
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      authorize_if always()
    end

    policy action(:confirm) do
      forbid_unless actor_attribute_equals(:confirmed_at, nil)
    end

    policy always() do
      authorize_if always()
    end
  end
  policies do
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      authorize_if always()
    end

    policy action(:confirm) do
      forbid_unless actor_attribute_equals(:confirmed_at, nil)
    end

    policy always() do
      authorize_if always()
    end
  end
But, if when I send the actor, it has the field as nil, it will still be blocked by the second policy. Any ideas why?
3 Replies
ZachDaniel
ZachDaniel3y ago
Any check that references the actor will evaluate to false if there is no actor. Oh, but that’s not your problem. There is no check that will set that policy to an authorized status Forbid unless can forbid the policy, but if we get to the end of the checks and nothing has made it authorized, then it will be forbidden You probably want something like authorize_if … there. What exactly are you trying to accomplish with that policy?
Blibs
BlibsOP3y ago
Ah, I see, so basically something like this: 
    policy action(:confirm) do
      forbid_unless actor_attribute_equals(:confirmed_at, nil)
      authorize_if always()
    end
    policy action(:confirm) do
      forbid_unless actor_attribute_equals(:confirmed_at, nil)
      authorize_if always()
    end
Basically I don't want this call to be accessible after the user already confirmed his email Doing that way worked great, thanks, now it makes sense. I thought it would just go straight to the last policy.
ZachDaniel
ZachDaniel3y ago
Yeah, and you want a check in here that the actor is the same as the user in question, BTW

Did you find this page helpful?