Policy checks on related resources
I have been looking for quite some time so this may be a noob ish question. I have a couple answers potentially but I'd like to know kind of the standard way to write a policy for a resource where the relationship to that resource is how I would authorize the actor.
For example
Let's say I have a GroupRequest resource which represents a users request to join a group (contains a group_id and user_id)
I also have a Group that has a group_admin relationship which belongs to a user.
I'd only like actions occuring on a GroupRequest to be performed by the group_admin
(and other similar resources such as GroupUser or GroupMembership)
So the way I'd like to authorize the actor is via
which I believe is giving me what I want.
but I can't seem to figure out how to write a policy for a create_action in the same way.
Lets say for a create action I'd like to "destroy" or "update" a group_request and then create the group_membership, but I'm not sure how to write a policy that does this. A simple check seems correct but how do I pass the group_id from the create action into the check? Did I go about this the wrong way?
I also read I could potentially do a calculations field on any "group" related resource which loads the admin and then I do a check with the actor against that? What's the best scenario here?
For example
Let's say I have a GroupRequest resource which represents a users request to join a group (contains a group_id and user_id)
I also have a Group that has a group_admin relationship which belongs to a user.
I'd only like actions occuring on a GroupRequest to be performed by the group_admin
(and other similar resources such as GroupUser or GroupMembership)
So the way I'd like to authorize the actor is via
which I believe is giving me what I want.
but I can't seem to figure out how to write a policy for a create_action in the same way.
Lets say for a create action I'd like to "destroy" or "update" a group_request and then create the group_membership, but I'm not sure how to write a policy that does this. A simple check seems correct but how do I pass the group_id from the create action into the check? Did I go about this the wrong way?
I also read I could potentially do a calculations field on any "group" related resource which loads the admin and then I do a check with the actor against that? What's the best scenario here?
The Elixir backend framework for unparalleled productivity. Declarative tools that let you stop wasting time. Use with Phoenix LiveView or build APIs in minutes for your front-end of choice.
2,193Members
Resources
Similar Threads
Was this page helpful?
