3 replies

Custom reset password flow not passing policy checks

I have a custom live view with a reset password form.

AshPhoenix.Form.for_read(User, :request_password_reset_with_password, api: Iterup.Users)
  |> to_form()

AshPhoenix.Form.for_read(User, :request_password_reset_with_password, api: Iterup.Users)
  |> to_form()

That I submit like this

AshPhoenix.Form.submit(socket.assigns.reset_password_form, params: params)

AshPhoenix.Form.submit(socket.assigns.reset_password_form, params: params)

I would expect this to pass policy checks, but it doesn't

Policy Breakdown
  Policy | ⛔:
    condition: action.type == :read    
    authorize if: AshAuthentication is performing this interaction | ✘ | 🔎    
    forbid unless: actor is present | ✘ | ⛔    
    authorize if: id == {:_actor, :id} | ? |     
    authorize if: record.memberships.account.memberships.user == actor | ? |

Policy Breakdown
  Policy | ⛔:
    condition: action.type == :read    
    authorize if: AshAuthentication is performing this interaction | ✘ | 🔎    
    forbid unless: actor is present | ✘ | ⛔    
    authorize if: id == {:_actor, :id} | ? |     
    authorize if: record.memberships.account.memberships.user == actor | ? |

(I moved the check out of a bypass to have it listed in Policy Breakdown explicitly showing it as a fail)

Ash Framework•3y ago•

3 replies

Robert Graff

Custom reset password flow not passing policy checks

I have a custom live view with a reset password form.

AshPhoenix.Form.for_read(User, :request_password_reset_with_password, api: Iterup.Users)
  |> to_form()

AshPhoenix.Form.for_read(User, :request_password_reset_with_password, api: Iterup.Users)
  |> to_form()

That I submit like this

AshPhoenix.Form.submit(socket.assigns.reset_password_form, params: params)

AshPhoenix.Form.submit(socket.assigns.reset_password_form, params: params)

I would expect this to pass policy checks, but it doesn't

Policy Breakdown
  Policy | ⛔:
    condition: action.type == :read    
    authorize if: AshAuthentication is performing this interaction | ✘ | 🔎    
    forbid unless: actor is present | ✘ | ⛔    
    authorize if: id == {:_actor, :id} | ? |     
    authorize if: record.memberships.account.memberships.user == actor | ? |

Policy Breakdown
  Policy | ⛔:
    condition: action.type == :read    
    authorize if: AshAuthentication is performing this interaction | ✘ | 🔎    
    forbid unless: actor is present | ✘ | ⛔    
    authorize if: id == {:_actor, :id} | ? |     
    authorize if: record.memberships.account.memberships.user == actor | ? |

(I moved the check out of a bypass to have it listed in Policy Breakdown explicitly showing it as a fail)

Custom reset password flow not passing policy checks

Similar Threads

Custom reset password flow not passing policy checks

Similar Threads

Similar Threads

Similar Threads