No actor, policy enforcement.
When creating the policy for read that "relates_to_actor_via" the policy only seems to come into play if there is an actor. If no actor is passed then that policy seems to be ignored.
Eg. the images below. If you pass the incorrect actor, it does not pass data. As expected. If you pass no actor, it gives you everything. As per the second image. Is this an error in my own logic or is this a bug?
6 Replies
Its not an error in your logic, its default behavior that will likely be changed soon 🙂
In the security guide, we suggest adding to your api module
authorize :by_default
Which is equivalent of passing authorize?: true on all requests.
By default, authorize?: false is the behavior unless either authorize?: true is passed or the actor key is provided.Found 4 Guides results in ash:
* Security: https://ash-hq.org/docs/guides/ash/2.6.9/topics/security
* Policies: https://ash-hq.org/docs/guides/ash/2.6.9/topics/policies
* Why Ash: https://ash-hq.org/docs/guides/ash/2.6.9/tutorials/why-ash
* Glossary: https://ash-hq.org/docs/guides/ash/2.6.9/topics/glossary
That top guide should have some info for you
Okay, excellent. I'll give that a read and take those steps to secure the endpoint. Thank you, very much!
No problem 🙂 In 3.0 this will be the default.
Awesome! 😄