Ash FrameworkAF
Ash Frameworkโ€ข3y agoโ€ข
3 replies
Robert Graff

Custom reset password flow not passing policy checks

I have a custom live view with a reset password form.

AshPhoenix.Form.for_read(User, :request_password_reset_with_password, api: Iterup.Users)
  |> to_form()


That I submit like this 
AshPhoenix.Form.submit(socket.assigns.reset_password_form, params: params)


I would expect this to pass policy checks, but it doesn't
Policy Breakdown
  Policy | โ›”:
    condition: action.type == :read    
    authorize if: AshAuthentication is performing this interaction | โœ˜ | ๐Ÿ”Ž    
    forbid unless: actor is present | โœ˜ | โ›”    
    authorize if: id == {:_actor, :id} | ? |     
    authorize if: record.memberships.account.memberships.user == actor | ? |


(I moved the check out of a bypass to have it listed in Policy Breakdown explicitly showing it as a fail)
Was this page helpful?