AE
Ash Elixir•3y ago
axdc

Not seeing policy authorization errors

I'm adding policies to my app, feeling my way to the correct modeling of my domain, and when submitting an action all I see in iex is: 
[warning] Unhandled error in form submission for Panacea.Accounts.User.add_user

This error was unhandled because it did not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Forbidden.Policy) forbidden:

Panacea.Accounts.User.add_user
[warning] Unhandled error in form submission for Panacea.Accounts.User.add_user

This error was unhandled because it did not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Forbidden.Policy) forbidden:

Panacea.Accounts.User.add_user
rather than Ash's nice verbose breakdown. I have the config from the documentation set up: 
config :ash, :policies, show_policy_breakdowns?: true
config :ash, :policies, show_policy_breakdowns?: true
I've tried it at the top of the file, at the bottom of the file, etc, mix clean && mix compile just to be safe. Trying to figure out what I'm missing.
10 Replies
dungnguyen8134
dungnguyen8134•3y ago
Have you added policy for :add_user action?
Alan Heywood
Alan Heywood•3y ago
You could try adding config :ash, :policies, log_policy_breakdowns: :error as well
axdc
axdcOP•3y ago
The policies for the User resource: 
policies do
  bypass actor_attribute_equals(:staff, true) do
    authorize_if always()
  end
  policy action_type([:read]) do
    authorize_if always()
  end
end
policies do
  bypass actor_attribute_equals(:staff, true) do
    authorize_if always()
  end
  policy action_type([:read]) do
    authorize_if always()
  end
end
I've done this and now there's one additional line in red above the original message! 
[error] Panacea.Accounts.User.add_user
[warning] Unhandled error in form submission for Panacea.Accounts.User.add_user

This error was unhandled because it did not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Forbidden.Policy) forbidden:

Panacea.Accounts.User.add_user
[error] Panacea.Accounts.User.add_user
[warning] Unhandled error in form submission for Panacea.Accounts.User.add_user

This error was unhandled because it did not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Forbidden.Policy) forbidden:

Panacea.Accounts.User.add_user
Alan Heywood
Alan Heywood•3y ago
I'm not sure why you're not getting a policy breakdown, however my next step would be to see if the error goes away with a policy such as: 
policy always() do
  authorize_if always()
end
policy always() do
  authorize_if always()
end
axdc
axdcOP•3y ago
Yes, no errors at all with the policies set to allow always.
ZachDaniel
ZachDaniel•3y ago
Do you have any policies on the resource? There won't be a policy breakdown if you don't
dungnguyen8134
dungnguyen8134•3y ago
Have you check if actor.staff is true? policies look ok
ZachDaniel
ZachDaniel•3y ago
I think its just that no policies apply so nothing shows up in the breakdown Which should probably be made clearer
axdc
axdcOP•3y ago
Sorry for the late response. I suddenly started getting the breakdowns mid troubleshooting last night and I have no idea why. I did have policies configured at the time of the OP, which was the source of my grievance -- I wanted to troubleshoot the policies, so I went looking for how to turn on the breakdowns. When you say policies, do you mean specifically policy blocks, ie bypass blocks don't count? If that's the case, I think that might have been it. (I did resolve my policy troubleshooting through a combination of trial and error, facepalming, and eventually the breakdowns showing up again for reasons I don't fully understand yet. Thanks!)
ZachDaniel
ZachDaniel•3y ago
Strange, but glad you got it worked out 🙂

Did you find this page helpful?