AE
Ash Elixirβ€’3y ago
roberts.gulans

About policies

It seems that policies are not triggered. I found this and tried but without success. https://discord.com/channels/711271361523351632/1079519120971812914 
# api code
  authorization do
    authorize :by_default
  end

# organization code
  policies do
    policy always() do
      authorize_if relates_to_actor_via(:users)
    end
  end

# code interface usage
Accounts.Organization.list!()
# [debug] QUERY OK source="acl_organizations" db=3.4ms idle=1311.1ms
#SELECT a0."id", a0."subject" FROM "acl_organizations" AS a0 []

Accounts.Organization.list!(authorize?: true)
# Policy | πŸ”Ž:
#   authorize if: record.users == actor | ✘ | πŸ”Ž

Accounts.Organization.list!(actor: current_user)
# Policy | πŸ”Ž:
#   authorize if: record.users == actor | βœ“ | πŸ”Ž

# NOTE: Query little bit more complex because it has many to many relationship with actor
# [debug] QUERY OK source="acl_organizations" db=6.1ms queue=0.1ms idle=1397.1ms
# SELECT a0."id", a0."subject" FROM "acl_organizations" AS a0 WHERE (exists((SELECT 1 FROM "public"."acl_users" AS sa0 INNER JOIN "public"."acl_organization_user" AS sa1 ON (sa1."user_id" = sa0."id") AND (a0."id" = sa1."organization_id") WHERE (sa0."id"::uuid = $1::uuid)))) ["feeee177-9287-42c7-9bd4-d8372814b75f"]
# api code
  authorization do
    authorize :by_default
  end

# organization code
  policies do
    policy always() do
      authorize_if relates_to_actor_via(:users)
    end
  end

# code interface usage
Accounts.Organization.list!()
# [debug] QUERY OK source="acl_organizations" db=3.4ms idle=1311.1ms
#SELECT a0."id", a0."subject" FROM "acl_organizations" AS a0 []

Accounts.Organization.list!(authorize?: true)
# Policy | πŸ”Ž:
#   authorize if: record.users == actor | ✘ | πŸ”Ž

Accounts.Organization.list!(actor: current_user)
# Policy | πŸ”Ž:
#   authorize if: record.users == actor | βœ“ | πŸ”Ž

# NOTE: Query little bit more complex because it has many to many relationship with actor
# [debug] QUERY OK source="acl_organizations" db=6.1ms queue=0.1ms idle=1397.1ms
# SELECT a0."id", a0."subject" FROM "acl_organizations" AS a0 WHERE (exists((SELECT 1 FROM "public"."acl_users" AS sa0 INNER JOIN "public"."acl_organization_user" AS sa1 ON (sa1."user_id" = sa0."id") AND (a0."id" = sa1."organization_id") WHERE (sa0."id"::uuid = $1::uuid)))) ["feeee177-9287-42c7-9bd4-d8372814b75f"]
From examples we can see, that policies are invoked only if i explicitly pass authorize?: true or actor: current_user even tho in api i have defined authorize :by_default
5 Replies
ZachDaniel
ZachDanielβ€’3y ago
Are you familiar with the way filter policies work? For reads you won’t generally get forbidden errors, you will filter the result set to limit visibility.
roberts.gulans
roberts.gulansOPβ€’3y ago
Yes thats is exactly what i expect. after providing authorization authorize :by_default i expect that policies will be executed and only related data will be show or empty list, if actor not present. currently if actor is not present all organizations are listed i did dependency update/mix compile --force, and now it seems to work correctly
ZachDaniel
ZachDanielβ€’3y ago
oh interesting so :by_default wasn't being honored for you? (:by_default will be the default in 3.0)
roberts.gulans
roberts.gulansOPβ€’3y ago
it seems so. i dont know man, sometimes, elixir compiled parts get stuck and do not recompile correctly. Like once every month. Rarely enough that i dont think of it streight away, but often enough, that im like, ah, once again πŸ˜„ sorry for this thread, its unrelated. its my machines fault πŸ˜„
ZachDaniel
ZachDanielβ€’3y ago
Not a problem, glad you've got it figured out πŸ˜„

Did you find this page helpful?