Ash FrameworkAF
Ash Framework8mo ago
4 replies
Joan Gavelán

Relationship-Based Policies

I’m building an app with a many-to-many between Users and Teams via a TeamMember join resource and need guidance writing two related authorization policies:

1. TeamMember Resource Policy

In team_member.ex I’ve defined:
read :list_team_members do
  prepare build(load: :user)
end

I need to allow reading a TeamMember record only if the actor is also a member of the same team.

These are the relationships defined in this resource:
relationships do
  belongs_to :user, Noted.Accounts.User do
    public? true
    allow_nil? false
  end

  belongs_to :team, Noted.Workspace.Team do
    public? true
    allow_nil? false
  end
end

2. User Resource Policy

Since the above action loads the :user relationship, I also need a similar rule in user.ex. How to allow reading another user only when the actor and the target user share the same team?

This is the relationship defined in my 
User
 resource:
relationships do
  many_to_many :teams, Noted.Workspace.Team do
    through Noted.Workspace.TeamMember
    join_relationship :team_membership
  end
end
Solution
You can use relates_to_actor_via
Jump to solution
Was this page helpful?