Can I pass an argument to a custom policy check
I have the following resources:
publisher, book, chapter, user, permissions.
My relationships look like the following:
Users are given permissions to a publisher. These permissions are an array of arbitrary strings.
Books are directly related to a publisher, and chapter belong to the book directly, but not the publisher.
Problem:
I want to check if a user has the correct permissions for the given publisher that's passed in as an argument for the changesets for both the book and chapter resources. I thought I could do something along the lines of authorize_if expr(has_create_permissions(actor, publisher, permissions)) but I'm having trouble figuring out where I should be defining the has_create_permissions function.
Is this something I can (or even should) do?7 Replies
The reason I'm not using a simple check, is that the context resource may not always include the publisher, or publisher_id at the moment, though I can update my tables to always include it if need be.
Alternatively I could add a change to always put the publisher_id into the context? But I was wondering if there was a way to use the arguments like described above.
You can define a custom filter check
See the filter checks here: https://hexdocs.pm/ash/policies.html
You could then do things like
{HasPermissions, through: [...]} if there are joins that have to happen etc.
for updates/destroys, often you'd end up w/ something like authorize_if expr(exists(chapter.book.publisher.permissions, id == ^actor(:id)))
for creates you'd need a custom simple check since you can't use filter checks on createsYeah - I've got a filter check for everything but the create action, but I was having trouble with the custom simple check for the create action
There's no way to pass in the argument from the changeset into the simple check, except through the context then?
The simple check gets the changeset itself
authorizer.subject
you can get the arguments from that
Is that an issue?I don't see
subject for simple checks, but you're right. I can do grab the changeset off the context passed into create actions. I totally missed that.
Thanks Zach!Like this example: https://hexdocs.pm/ash/Ash.Policy.SimpleCheck.html#module-example
Got it - thank you again!