10 replies

Mixing read action in `action_type` policy condition with other types; Error instead of filtering

Hi all,

After upgrading to Ash

3.7.0

3.7.0

my tests for asserting that actions under policies requiring an actor being present started throwing

Ash.Errors.Forbidden

Ash.Errors.Forbidden

for read actions instead of just filtering and warning on

:debug

:debug

policies do
  policy action_type([:create, :read, :update]) do
    authorize_if actor_present()
  end

  policy action_type(:destroy) do
    authorize_if IsAdmin
    authorize_if relates_to_actor_via(:created_by)
  end
end

policies do
  policy action_type([:create, :read, :update]) do
    authorize_if actor_present()
  end

  policy action_type(:destroy) do
    authorize_if IsAdmin
    authorize_if relates_to_actor_via(:created_by)
  end
end

However, if I break out the first policy into individual policies where

action_type

action_type

gets a single atom for action type instead of a list, no error is thrown and the filtering in my tests occur as previously expected:

policy action_type(:read) do
  authorize_if actor_present()
end
# and the same for :create, :update

policy action_type(:read) do
  authorize_if actor_present()
end
# and the same for :create, :update

I'd like to think that

3.7.0

3.7.0

wouldn't introduce a change in the policies logic but I'm very open to it providing improved implementations that catch any of my stupid mistakes

A self-contained reproduction:

https://github.com/carlgleisner/policy_repro

GitHub

GitHub - carlgleisner/policy_repro

Contribute to carlgleisner/policy_repro development by creating an account on GitHub.

Solution

@Carl please try

main

main

Jump to solution

Ash Framework•5mo ago•

10 replies

Carl

Mixing read action in `action_type` policy condition with other types; Error instead of filtering

Hi all,

After upgrading to Ash

3.7.0

3.7.0

my tests for asserting that actions under policies requiring an actor being present started throwing

Ash.Errors.Forbidden

Ash.Errors.Forbidden

for read actions instead of just filtering and warning on

:debug

:debug

policies do
  policy action_type([:create, :read, :update]) do
    authorize_if actor_present()
  end

  policy action_type(:destroy) do
    authorize_if IsAdmin
    authorize_if relates_to_actor_via(:created_by)
  end
end

policies do
  policy action_type([:create, :read, :update]) do
    authorize_if actor_present()
  end

  policy action_type(:destroy) do
    authorize_if IsAdmin
    authorize_if relates_to_actor_via(:created_by)
  end
end

However, if I break out the first policy into individual policies where

action_type

action_type

gets a single atom for action type instead of a list, no error is thrown and the filtering in my tests occur as previously expected:

policy action_type(:read) do
  authorize_if actor_present()
end
# and the same for :create, :update

policy action_type(:read) do
  authorize_if actor_present()
end
# and the same for :create, :update

I'd like to think that

3.7.0

3.7.0

wouldn't introduce a change in the policies logic but I'm very open to it providing improved implementations that catch any of my stupid mistakes

A self-contained reproduction:

https://github.com/carlgleisner/policy_repro

GitHub

GitHub - carlgleisner/policy_repro

Contribute to carlgleisner/policy_repro development by creating an account on GitHub.

Solution

@Carl please try

main

main

Jump to solution

Mixing read action in `action_type` policy condition with other types; Error instead of filtering

Mixing read action in `action_type` policy condition with other types; Error instead of filtering

Similar Threads

Similar Threads

Similar Threads