AE
Ash Elixir2y ago
michaelst

Policy authorizer not applying to read action

I have this policy 
policies do
  policy always() do
    authorize_if action(:create)
    authorize_if expr(user_id == ^actor(:id))
  end
end
policies do
  policy always() do
    authorize_if action(:create)
    authorize_if expr(user_id == ^actor(:id))
  end
end
When I use Api.read on my read action (list) it is not filtering out records from other users. Is there something else I am supposed to configure for it to filter?
4 Replies
ZachDaniel
ZachDaniel2y ago
What if you say authorize?: true The default behavior (changing in 3.0) is that we only do authorization when an actor was provided as an option, or when the authorize?: true flag is provided if you want to change that you can set: 
authorization do
  authorize :by_default
end
authorization do
  authorize :by_default
end
in your api module
michaelst
michaelstOP2y ago
ah, thanks!
ZachDaniel
ZachDaniel2y ago
Keep in mind if you make that change I mentioned, you may need to change other things to use authorize?: false
michaelst
michaelstOP2y ago
I passed in the actor

Did you find this page helpful?