AF
Ash Framework2w ago
Zeeshan

Ash Policy DSL Syntax Issues - Need Help with authorize_if and policy_group

I'm implementing role-based authorization in an Ash 3.5.42 application but running into compilation errors with the policy DSL. Despite following the documentation examples, I'm getting undefined function authorize_if/1 errors. Current Setup: 
  defmodule Fmma.Authentication.DeviceRegistration do
    use Ash.Resource,
      domain: Fmma.Authentication,
      data_layer: AshPostgres.DataLayer,
      authorizers: [Ash.Policy.Authorizer],
      extensions: [AshArchival.Resource, AshPaperTrail.Resource]

    # This fails to compile
    policies do
      bypass actor_attribute_equals(:role, "admin") do
        authorize_if always()  # ← undefined function authorize_if/1
      end

      policy_group actor_attribute_equals(:role, "director") do
        authorize_if always()  # ← undefined function authorize_if/1
      end
    end
  end
  defmodule Fmma.Authentication.DeviceRegistration do
    use Ash.Resource,
      domain: Fmma.Authentication,
      data_layer: AshPostgres.DataLayer,
      authorizers: [Ash.Policy.Authorizer],
      extensions: [AshArchival.Resource, AshPaperTrail.Resource]

    # This fails to compile
    policies do
      bypass actor_attribute_equals(:role, "admin") do
        authorize_if always()  # ← undefined function authorize_if/1
      end

      policy_group actor_attribute_equals(:role, "director") do
        authorize_if always()  # ← undefined function authorize_if/1
      end
    end
  end
Error Message: error: undefined function authorize_if/1 (there is no such import) error: undefined function actor_attribute_equals/2 (there is no such import) What I've Tried: - Added authorizers: [Ash.Policy.Authorizer] to resource - Tried importing Ash.Policy.Check.Builtins - Tried use Ash.Policy.Authorizer Domain Configuration: 
  defmodule Fmma.Authentication do
    use Ash.Domain, extensions: [AshTypescript.Rpc]

    authorization do
      require_actor? true
      authorize :by_default
    end
  end
  defmodule Fmma.Authentication do
    use Ash.Domain, extensions: [AshTypescript.Rpc]

    authorization do
      require_actor? true
      authorize :by_default
    end
  end
All in all, the authorization framework compiles fine, but the policy DSL functions aren't available.
6 Replies
rellen
rellen2w ago
At first glance that looks correct 🤔 Have you tried rm -rf _build in the root of your project and recompiling? another thing that you could try is adding your resource to your domain (if your domain snippet is indeed the entirety of that file) e.g. 
resources do 
  resource Fmma.Authentication.DeviceRegistration
end
resources do 
  resource Fmma.Authentication.DeviceRegistration
end
Zeeshan
ZeeshanOP2w ago
thanks for the suggestion for clean build. All the undefined function errors are gone and the policy DSL compiles perfectly. 
policies do
    bypass actor_attribute_equals(:role, "admin") do
      authorize_if always()  # ← This now compiles!
    end

    policy action(:pending_approvals) do
      authorize_if actor_attribute_equals(:role, "director")  # ← This works too!
    end
  end
policies do
    bypass actor_attribute_equals(:role, "admin") do
      authorize_if always()  # ← This now compiles!
    end

    policy action(:pending_approvals) do
      authorize_if actor_attribute_equals(:role, "director")  # ← This works too!
    end
  end
while the policies compile, the actor context from RPC calls isn't reaching the policy evaluation. Even bypass actor_present() fails when an actor is provided via RPC: 
{
    "action": "get_pending_approvals",
    "actor": {"id": "...", "role": "director"},  // Actor provided
    "fields": ["id", "agentName", "status"]
  }
{
    "action": "get_pending_approvals",
    "actor": {"id": "...", "role": "director"},  // Actor provided
    "fields": ["id", "agentName", "status"]
  }
this still returns forbidden! wondering if actor context isn't being passed from AshTypescript.Rpc to the Ash policy system the issue is not with policies. they work perfectly when called directly with Ash.read(Resource, actor: actor) the issue should be with AshTypescript.Rpc - it doesn't forward the "actor" parameter from RPC calls to the underlying Ash.read() calls
Zeeshan
ZeeshanOP2w ago
Aannddd seems like i found the issue. Following the documentation again, AshTypescript expects the actor to be set on the connection/socket, not passed as a parameter in the RPC call! I tested all the flows now and it works flawlessly 🎉
No description
barnabasj
barnabasj2w ago
Zeeshan
ZeeshanOP7d ago
i have seen this but then i assumed ash's one was superior https://hexdocs.pm/ash/actors-and-authorization.html https://hexdocs.pm/ash/policies.html i will check this again
barnabasj
barnabasj7d ago
it's just a small wrapper that creates ash policies for you

Did you find this page helpful?