How to write a policy to ensure the user belongs to the tenant through a membership relation?
I have read many examples on multitenancy implementation with Ash, but most of these examples assume that the user belongs to one tenant.
In my case, a user can belong to one or more tenants and can switch from one to another using a select list.
We therefore have three resources, Organization, User, and Membership, to make the connection. Our application mainly uses a JSON API where we pass an authentication token in each request, as well as a custom X-Org-Id header with the current tenant ID the user selected.
I would like to create a policy that ensures that the user belongs to the organization through the Membership relationship.
I thought about using the
relates_to_actor_via function (https://hexdocs.pm/ash/Ash.Policy.Check.Builtins.html#relates_to_actor_via/2), but it doesn't work when creating a resource. I understand this restriction if it depends on the content of the resource, but that's not the case here.
This use case seems standard to me, so I'm thinking I'm probably missing something. Any ideas on how I could do this?
Edit: Whitout that check, it means that the User could create ressource under Organization that he does not belongs to, correct?1 Reply
Based on my exp. it will require writing a custom
FilterCheck . I was dealing with something similar here - https://discord.com/channels/711271361523351632/1418525578306257007 .