11 replies

Policy references

As shown in the diagram, I'm in a scenario where a container resource has a policy that permits access by either being the creator or a collaborator.

policy action(:read) do
  authorize_if relates_to_actor_via(:creator)
  authorize_if relates_to_actor_via(:collaborators)
end

policy action(:read) do
  authorize_if relates_to_actor_via(:creator)
  authorize_if relates_to_actor_via(:collaborators)
end

Is there a way to not have to repeat this logic in all the child resources, such that I could be properly authorized on

Item

Item

's read action?

I think it's possible to use

accessing_from

accessing_from

to allow reads of items when loading through containers, but that doesn't solve for direct access.

I guess this isn't the worst solution in the world…

policy action(:read) do
  authorize_if relates_to_actor_via([:container, :creator])
  authorize_if relates_to_actor_via([:container, :collaborators])
end

policy action(:read) do
  authorize_if relates_to_actor_via([:container, :creator])
  authorize_if relates_to_actor_via([:container, :collaborators])
end

But I'd much rather have something like

policy action(:read) do
  authorize_if related_resource_would_be_readable(:container)
end

policy action(:read) do
  authorize_if related_resource_would_be_readable(:container)
end

So a change to the container rules wouldn't require a policy change in all child resources of the container.

Solution

My suggestion is to use calculations for this.

Jump to solution

Ash Framework•8mo ago•

11 replies

RootCA

Policy references

As shown in the diagram, I'm in a scenario where a container resource has a policy that permits access by either being the creator or a collaborator.

policy action(:read) do
  authorize_if relates_to_actor_via(:creator)
  authorize_if relates_to_actor_via(:collaborators)
end

policy action(:read) do
  authorize_if relates_to_actor_via(:creator)
  authorize_if relates_to_actor_via(:collaborators)
end

Is there a way to not have to repeat this logic in all the child resources, such that I could be properly authorized on

Item

Item

's read action?

I think it's possible to use

accessing_from

accessing_from

to allow reads of items when loading through containers, but that doesn't solve for direct access.

I guess this isn't the worst solution in the world…

policy action(:read) do
  authorize_if relates_to_actor_via([:container, :creator])
  authorize_if relates_to_actor_via([:container, :collaborators])
end

policy action(:read) do
  authorize_if relates_to_actor_via([:container, :creator])
  authorize_if relates_to_actor_via([:container, :collaborators])
end

But I'd much rather have something like

policy action(:read) do
  authorize_if related_resource_would_be_readable(:container)
end

policy action(:read) do
  authorize_if related_resource_would_be_readable(:container)
end

So a change to the container rules wouldn't require a policy change in all child resources of the container.

Solution

My suggestion is to use calculations for this.

Jump to solution

Policy references

Policy references

Similar Threads

Similar Threads

Similar Threads