Ash FrameworkAF
Ash Framework6mo ago
11 replies
RootCA

Policy references

As shown in the diagram, I'm in a scenario where a container resource has a policy that permits access by either being the creator or a collaborator.

policy action(:read) do
  authorize_if relates_to_actor_via(:creator)
  authorize_if relates_to_actor_via(:collaborators)
end


Is there a way to not have to repeat this logic in all the child resources, such that I could be properly authorized on Item's read action?

I think it's possible to use accessing_from to allow reads of items when loading through containers, but that doesn't solve for direct access.

I guess this isn't the worst solution in the world
policy action(:read) do
  authorize_if relates_to_actor_via([:container, :creator])
  authorize_if relates_to_actor_via([:container, :collaborators])
end


But I'd much rather have something like
policy action(:read) do
  authorize_if related_resource_would_be_readable(:container)
end


So a change to the container rules wouldn't require a policy change in all child resources of the container.
Screenshot_2025-07-25_at_6.25.00_AM.png
Solution
My suggestion is to use calculations for this.
Jump to solution
Was this page helpful?