Ash Framework•2mo ago

How to allow only one action and forbid all others by default in policy?

From the doc when multiple policies apply to the same request, all applicable policies must pass for the action to be authorized. I have a policy for the :profile read action, that is available only for the current actor:

policy action(:profile) do
  authorize_if expr(id == ^actor(:id))
end

policy action(:profile) do
  authorize_if expr(id == ^actor(:id))
end

I want all the other actions to be forbidden by default. How can I achieve that? I tried this, but in that case I won't be able to reach the :profile action.

policy always() do
  forbid_if always()
end

policy always() do
  forbid_if always()
end

I suspect that instead of having a policy, I should have a bypass on the profileaction right?

Solution:

forbid is the default, if no policy block applies to the action, so you can just remove this one ```elixir policy always() do forbid_if always()...

Jump to solution

3 Replies

Solution

barnabasj•2mo ago

forbid is the default, if no policy block applies to the action, so you can just remove this one

policy always() do
  forbid_if always()
end

policy always() do
  forbid_if always()
end

barnabasj•2mo ago

bypass would also work, as it ignores other policy blocks if it resolves to authorized

MalianOP•2mo ago

It was as simple as that. Thank you!

Gaming

Programming

How to allow only one action and forbid all others by default in policy?

Did you find this page helpful?