14 replies

Actor can create data in other tenant

I'm testing wether a member of TenantA can create a project in TenantB. This test is failing (the :create is succeeding).
I thought that multitenancy would block this case, but perhaps I'm confusing things.

elixir 
  test "member_cannot_create_in_other_tenant" do
    tenant_a = create_tenant!(%{name: "A Tenant"})
    tenant_b = create_tenant!(%{name: "B Tenant"})
    member_a = create_member!(tenant_a)

    result = create_project(%{name: "Wrong"}, tenant_b.id, member_a)
    assert match?({:error, %Ash.Error.Forbidden{}}, result)
  end

elixir 
  test "member_cannot_create_in_other_tenant" do
    tenant_a = create_tenant!(%{name: "A Tenant"})
    tenant_b = create_tenant!(%{name: "B Tenant"})
    member_a = create_member!(tenant_a)

    result = create_project(%{name: "Wrong"}, tenant_b.id, member_a)
    assert match?({:error, %Ash.Error.Forbidden{}}, result)
  end

Following here are some snippets of the setup.

the resource (skipped parts)

elixir 
  [...]
  multitenancy do
    strategy :attribute
    attribute :tenant_id
  end
  [...]
  relationships do
    belongs_to :tenant, Api.Tenants.Tenant,
      allow_nil?: false,
      attribute_type: :uuid,
      public?: true

    belongs_to :image_file, Api.Files.File, allow_nil?: true, attribute_type: :uuid, public?: true
  end

  actions do
    [...]
    create :create do
      accept([:name, :description, :address, :image_file_id])
    end
    [...]
  end

  policies do
  [...]
    policy action(:create) do
        # does this override multitenancy?
        authorize_if always()
        # authorize_if Api.Policies.ActorInTenant
    end
  [...]
  end

elixir 
  [...]
  multitenancy do
    strategy :attribute
    attribute :tenant_id
  end
  [...]
  relationships do
    belongs_to :tenant, Api.Tenants.Tenant,
      allow_nil?: false,
      attribute_type: :uuid,
      public?: true

    belongs_to :image_file, Api.Files.File, allow_nil?: true, attribute_type: :uuid, public?: true
  end

  actions do
    [...]
    create :create do
      accept([:name, :description, :address, :image_file_id])
    end
    [...]
  end

  policies do
  [...]
    policy action(:create) do
        # does this override multitenancy?
        authorize_if always()
        # authorize_if Api.Policies.ActorInTenant
    end
  [...]
  end

Ash Framework•6mo ago•

14 replies

LukV

Actor can create data in other tenant

elixir 
  test "member_cannot_create_in_other_tenant" do
    tenant_a = create_tenant!(%{name: "A Tenant"})
    tenant_b = create_tenant!(%{name: "B Tenant"})
    member_a = create_member!(tenant_a)

    result = create_project(%{name: "Wrong"}, tenant_b.id, member_a)
    assert match?({:error, %Ash.Error.Forbidden{}}, result)
  end

elixir 
  test "member_cannot_create_in_other_tenant" do
    tenant_a = create_tenant!(%{name: "A Tenant"})
    tenant_b = create_tenant!(%{name: "B Tenant"})
    member_a = create_member!(tenant_a)

    result = create_project(%{name: "Wrong"}, tenant_b.id, member_a)
    assert match?({:error, %Ash.Error.Forbidden{}}, result)
  end

Following here are some snippets of the setup.

the resource (skipped parts)

elixir 
  [...]
  multitenancy do
    strategy :attribute
    attribute :tenant_id
  end
  [...]
  relationships do
    belongs_to :tenant, Api.Tenants.Tenant,
      allow_nil?: false,
      attribute_type: :uuid,
      public?: true

    belongs_to :image_file, Api.Files.File, allow_nil?: true, attribute_type: :uuid, public?: true
  end

  actions do
    [...]
    create :create do
      accept([:name, :description, :address, :image_file_id])
    end
    [...]
  end

  policies do
  [...]
    policy action(:create) do
        # does this override multitenancy?
        authorize_if always()
        # authorize_if Api.Policies.ActorInTenant
    end
  [...]
  end

elixir 
  [...]
  multitenancy do
    strategy :attribute
    attribute :tenant_id
  end
  [...]
  relationships do
    belongs_to :tenant, Api.Tenants.Tenant,
      allow_nil?: false,
      attribute_type: :uuid,
      public?: true

    belongs_to :image_file, Api.Files.File, allow_nil?: true, attribute_type: :uuid, public?: true
  end

  actions do
    [...]
    create :create do
      accept([:name, :description, :address, :image_file_id])
    end
    [...]
  end

  policies do
  [...]
    policy action(:create) do
        # does this override multitenancy?
        authorize_if always()
        # authorize_if Api.Policies.ActorInTenant
    end
  [...]
  end

Actor can create data in other tenant

Similar Threads

Actor can create data in other tenant

Similar Threads

Similar Threads

Similar Threads