Custom reset password flow not passing policy checks

I have a custom live view with a reset password form.

AshPhoenix.Form.for_read(User, :request_password_reset_with_password, api: Iterup.Users)
  |> to_form()

AshPhoenix.Form.for_read(User, :request_password_reset_with_password, api: Iterup.Users)
  |> to_form()

That I submit like this

AshPhoenix.Form.submit(socket.assigns.reset_password_form, params: params)

AshPhoenix.Form.submit(socket.assigns.reset_password_form, params: params)

I would expect this to pass policy checks, but it doesn't

Policy Breakdown
  Policy | ⛔:
    condition: action.type == :read    
    authorize if: AshAuthentication is performing this interaction | ✘ | 🔎    
    forbid unless: actor is present | ✘ | ⛔    
    authorize if: id == {:_actor, :id} | ? |     
    authorize if: record.memberships.account.memberships.user == actor | ? |

Policy Breakdown
  Policy | ⛔:
    condition: action.type == :read    
    authorize if: AshAuthentication is performing this interaction | ✘ | 🔎    
    forbid unless: actor is present | ✘ | ⛔    
    authorize if: id == {:_actor, :id} | ? |     
    authorize if: record.memberships.account.memberships.user == actor | ? |

(I moved the check out of a bypass to have it listed in Policy Breakdown explicitly showing it as a fail)

1 Reply

ZachDaniel•3y ago

That custom call isn't considered to be "AshAuthentication" performing the interaction. So you'd need to add something to your policies to allow your current invocation of it Or add context: %{private: %{ash_authentication?: true}}

Gaming

Programming

Custom reset password flow not passing policy checks

Did you find this page helpful?