8 replies

Bypass all authorization for specific read action (including loaded relationships

I have this read action:

read :get_received_invitation do
  get_by :id
  multitenancy :bypass_all
  prepare build(load: [inviter: [:user], establishment: [:organization]])
  filter expr(email == ^actor(:email) and expires_at > now())
end

read :get_received_invitation do
  get_by :id
  multitenancy :bypass_all
  prepare build(load: [inviter: [:user], establishment: [:organization]])
  filter expr(email == ^actor(:email) and expires_at > now())
end

read :get_received_invitation do
  get_by :id
  multitenancy :bypass_all
  prepare build(load: [inviter: [:user], establishment: [:organization]])
  filter expr(email == ^actor(:email) and expires_at > now())
end

read :get_received_invitation do
  get_by :id
  multitenancy :bypass_all
  prepare build(load: [inviter: [:user], establishment: [:organization]])
  filter expr(email == ^actor(:email) and expires_at > now())
end

multitenancy :bypass_all

multitenancy :bypass_all

multitenancy :bypass_all

multitenancy :bypass_all solves the tenancy requirement issue, but the loaded relationships are still returning

nil

nil

nil

nil due to authorization.

Is there an equivalent to

:bypass_all

:bypass_all

:bypass_all

:bypass_all for authorization so that this action (and its loaded relationships) skips all authorization checks entirely?

Note: I tried writing policies on every related resource to allow an invited user to read them, but besides feeling overkill, it felt wrong that an invited user could potentially access the dashboard by being able to read those related resources, I only want to access the related metadata for this specific action, nothing more.

Solution

I'd suggest using the

accessing_from

accessing_from

accessing_from

accessing_from builtin check

Jump to solution

Bypass all authorization for specific read action (including loaded relationships

Similar Threads

Similar Threads

Similar Threads