AF
Ash Frameworkβ€’2mo ago
Vic

Ash policies fail when they shouldn't

heres the logs 
 Parameters: %{"form" => %{"role" => "admin"}}
[error] SimpleDemo.Accounts.User.change_role


forbidden:

SimpleDemo.Accounts.User.change_role


Policy Breakdown
  user: %{id: "8c51795a-cc42-412f-aceb-a8b3ce36137d"}

  Policy | πŸ”Ž:

    condition: action == :change_role

    forbid if: :admin == :super_admin | ? | πŸ”Ž

SAT Solver statement:

 "action == :change_role" and
  (("action == :change_role" and false) or not "action == :change_role")
 Parameters: %{"form" => %{"role" => "admin"}}
[error] SimpleDemo.Accounts.User.change_role


forbidden:

SimpleDemo.Accounts.User.change_role


Policy Breakdown
  user: %{id: "8c51795a-cc42-412f-aceb-a8b3ce36137d"}

  Policy | πŸ”Ž:

    condition: action == :change_role

    forbid if: :admin == :super_admin | ? | πŸ”Ž

SAT Solver statement:

 "action == :change_role" and
  (("action == :change_role" and false) or not "action == :change_role")
Heres the policy 
    policy action(:change_role) do
      forbid_if expr(^arg(:role) == :super_admin)
    end
    policy action(:change_role) do
      forbid_if expr(^arg(:role) == :super_admin)
    end
I dont get why it fails
6 Replies
Vic
VicOPβ€’2mo ago
the name of the arg is correct, the value as well I mean, I changed the comparison to a string and I still get the same error 
 Parameters: %{"form" => %{"role" => "admin"}}
[error] SimpleDemo.Accounts.User.change_role


Policy Breakdown
  user: %{id: "8c51795a-cc42-412f-aceb-a8b3ce36137d"}

  Policy | πŸ”Ž:

    condition: action == :change_role

    forbid if: :admin == "super_admin" | ? | πŸ”Ž

SAT Solver statement:

 "action == :change_role" and
  (("action == :change_role" and false) or not "action == :change_role")

[warning] Unhandled error in form submission for SimpleDemo.Accounts.User.change_role

This error was unhandled because Ash.Error.Forbidden.Policy does not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Forbidden.Policy) Bread Crumbs:
  > Returned from bulk query update: SimpleDemo.Accounts.User.change_role



** (Ash.Error.Forbidden.Policy) Bread Crumbs:
  > Returned from bulk query update: SimpleDemo.Accounts.User.change_role


forbidden:

SimpleDemo.Accounts.User.change_role


Policy Breakdown
  user: %{id: "8c51795a-cc42-412f-aceb-a8b3ce36137d"}

  Policy | πŸ”Ž:

    condition: action == :change_role

    forbid if: :admin == "super_admin" | ? | πŸ”Ž

SAT Solver statement:

 "action == :change_role" and
  (("action == :change_role" and false) or not "action == :change_role")
 Parameters: %{"form" => %{"role" => "admin"}}
[error] SimpleDemo.Accounts.User.change_role


Policy Breakdown
  user: %{id: "8c51795a-cc42-412f-aceb-a8b3ce36137d"}

  Policy | πŸ”Ž:

    condition: action == :change_role

    forbid if: :admin == "super_admin" | ? | πŸ”Ž

SAT Solver statement:

 "action == :change_role" and
  (("action == :change_role" and false) or not "action == :change_role")

[warning] Unhandled error in form submission for SimpleDemo.Accounts.User.change_role

This error was unhandled because Ash.Error.Forbidden.Policy does not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Forbidden.Policy) Bread Crumbs:
  > Returned from bulk query update: SimpleDemo.Accounts.User.change_role



** (Ash.Error.Forbidden.Policy) Bread Crumbs:
  > Returned from bulk query update: SimpleDemo.Accounts.User.change_role


forbidden:

SimpleDemo.Accounts.User.change_role


Policy Breakdown
  user: %{id: "8c51795a-cc42-412f-aceb-a8b3ce36137d"}

  Policy | πŸ”Ž:

    condition: action == :change_role

    forbid if: :admin == "super_admin" | ? | πŸ”Ž

SAT Solver statement:

 "action == :change_role" and
  (("action == :change_role" and false) or not "action == :change_role")
I know i know the error conversion is my fault I guess, I have to read more on the integration in there buuut the Forbidden is the part I dont understan I am also just getting the ? when I belive the rejected policies symbol is x This is pointing to the master branch on git
ZachDaniel
ZachDanielβ€’2mo ago
Right, so you're seeing a combination of behaviors there Read policies filter by default So that is saying ? as in "we'll have to filter" and also its evaluating to false statically later on because we partially evaluate filters and: 
 "action == :change_role" and
  (("action == :change_role" and false) or not "action == :change_role")
 "action == :change_role" and
  (("action == :change_role" and false) or not "action == :change_role")
is false
Vic
VicOPβ€’2mo ago
Wait but why is it saying false? How can I trace/debug policies? πŸ€” The only other policy is the one for ashauth by default I mean I see why the SAT solver says false, that part I do understand but in the code how may I check what’s causing it
Vic
VicOPβ€’2mo ago
Here’s a repo, https://github.com/Alt-iOS/simple_demo in the guy from the bug earlier yesterday πŸ˜…
GitHub
GitHub - Alt-iOS/simple_demo: bug in policies in ash
bug in policies in ash. Contribute to Alt-iOS/simple_demo development by creating an account on GitHub.
Vic
VicOPβ€’2mo ago
oh God I know whats happening It's filter type, it should be strict, no?
ZachDaniel
ZachDanielβ€’2mo ago
If you don't want it to filter, then yes like if you're looking to get it to forbid the request

Did you find this page helpful?