30 replies

Ash.Policy.FilterCheck

Are we using this wrong? We have the following policy module:

def describe(_opts), do: "Organization is one of the users orgs that they are an admin of"

def filter(actor, authorizer, _opts) do
  organization_id = authorizer.subject.arguments.organization_id
  hierarchy = Ash.calculate!(actor, :organization_hierarchy, args: %{id: actor.id, format: :tree})
  organization_ids = get_ancestry_path(hierarchy, organization_id)

  case filter_where_admin_of(organization_ids, actor.id) do
    [] ->
      false

    _ ->
      true
  end
end

def filter_where_admin_of(organization_ids, user_id) do
  organization_members = Ash.Query.filter(OrganizationMember, user_id == ^user_id and role == :admin)

  organization_ids
  |> Organization.get_by_ids!(load: [organization_members: organization_members])
  |> Enum.flat_map(& &1.organization_members)
  |> Enum.map(& &1.organization_id)
end

def describe(_opts), do: "Organization is one of the users orgs that they are an admin of"

def filter(actor, authorizer, _opts) do
  organization_id = authorizer.subject.arguments.organization_id
  hierarchy = Ash.calculate!(actor, :organization_hierarchy, args: %{id: actor.id, format: :tree})
  organization_ids = get_ancestry_path(hierarchy, organization_id)

  case filter_where_admin_of(organization_ids, actor.id) do
    [] ->
      false

    _ ->
      true
  end
end

def filter_where_admin_of(organization_ids, user_id) do
  organization_members = Ash.Query.filter(OrganizationMember, user_id == ^user_id and role == :admin)

  organization_ids
  |> Organization.get_by_ids!(load: [organization_members: organization_members])
  |> Enum.flat_map(& &1.organization_members)
  |> Enum.map(& &1.organization_id)
end

This is tied to an action:

policy action(:get_groups_for_organization) do
  description "Can only see dashboard groups where the actor is the owner of the group, or is an admin of that group's organization or of any of its parents"
  authorize_if AdminOfOrganizationHigherInHierarchy
end

policy action(:get_groups_for_organization) do
  description "Can only see dashboard groups where the actor is the owner of the group, or is an admin of that group's organization or of any of its parents"
  authorize_if AdminOfOrganizationHigherInHierarchy
end

However, even when the

filter

filter

function inside policy module returns

false

false

(from the

[]

[]

clause), the policy still authorizes the action. Running

DashboardGroup.can_get_groups_for_organization?(current_user, current_organization.id, %{})

DashboardGroup.can_get_groups_for_organization?(current_user, current_organization.id, %{})

returns

true

true

.

Should we be using

SimpleCheck

SimpleCheck

instead?

Ash Framework•10mo ago•

30 replies

Ege

Ash.Policy.FilterCheck

Are we using this wrong? We have the following policy module:

def describe(_opts), do: "Organization is one of the users orgs that they are an admin of"

def filter(actor, authorizer, _opts) do
  organization_id = authorizer.subject.arguments.organization_id
  hierarchy = Ash.calculate!(actor, :organization_hierarchy, args: %{id: actor.id, format: :tree})
  organization_ids = get_ancestry_path(hierarchy, organization_id)

  case filter_where_admin_of(organization_ids, actor.id) do
    [] ->
      false

    _ ->
      true
  end
end

def filter_where_admin_of(organization_ids, user_id) do
  organization_members = Ash.Query.filter(OrganizationMember, user_id == ^user_id and role == :admin)

  organization_ids
  |> Organization.get_by_ids!(load: [organization_members: organization_members])
  |> Enum.flat_map(& &1.organization_members)
  |> Enum.map(& &1.organization_id)
end

def describe(_opts), do: "Organization is one of the users orgs that they are an admin of"

def filter(actor, authorizer, _opts) do
  organization_id = authorizer.subject.arguments.organization_id
  hierarchy = Ash.calculate!(actor, :organization_hierarchy, args: %{id: actor.id, format: :tree})
  organization_ids = get_ancestry_path(hierarchy, organization_id)

  case filter_where_admin_of(organization_ids, actor.id) do
    [] ->
      false

    _ ->
      true
  end
end

def filter_where_admin_of(organization_ids, user_id) do
  organization_members = Ash.Query.filter(OrganizationMember, user_id == ^user_id and role == :admin)

  organization_ids
  |> Organization.get_by_ids!(load: [organization_members: organization_members])
  |> Enum.flat_map(& &1.organization_members)
  |> Enum.map(& &1.organization_id)
end

This is tied to an action:

policy action(:get_groups_for_organization) do
  description "Can only see dashboard groups where the actor is the owner of the group, or is an admin of that group's organization or of any of its parents"
  authorize_if AdminOfOrganizationHigherInHierarchy
end

policy action(:get_groups_for_organization) do
  description "Can only see dashboard groups where the actor is the owner of the group, or is an admin of that group's organization or of any of its parents"
  authorize_if AdminOfOrganizationHigherInHierarchy
end

However, even when the

filter

filter

function inside policy module returns

false

false

(from the

[]

[]

clause), the policy still authorizes the action. Running

DashboardGroup.can_get_groups_for_organization?(current_user, current_organization.id, %{})

DashboardGroup.can_get_groups_for_organization?(current_user, current_organization.id, %{})

returns

true

true

.

Should we be using

SimpleCheck

SimpleCheck

instead?

Ash.Policy.FilterCheck

Similar Threads

Ash.Policy.FilterCheck

Similar Threads

Similar Threads

Similar Threads