Ash Framework•2mo ago

Mixing read action in `action_type` policy condition with other types; Error instead of filtering

Hi all, After upgrading to Ash 3.7.0 my tests for asserting that actions under policies requiring an actor being present started throwing Ash.Errors.Forbidden for read actions instead of just filtering and warning on :debug.

policies do
  policy action_type([:create, :read, :update]) do
    authorize_if actor_present()
  end

  policy action_type(:destroy) do
    authorize_if IsAdmin
    authorize_if relates_to_actor_via(:created_by)
  end
end

policies do
  policy action_type([:create, :read, :update]) do
    authorize_if actor_present()
  end

  policy action_type(:destroy) do
    authorize_if IsAdmin
    authorize_if relates_to_actor_via(:created_by)
  end
end

However, if I break out the first policy into individual policies where action_type gets a single atom for action type instead of a list, no error is thrown and the filtering in my tests occur as previously expected:

policy action_type(:read) do
  authorize_if actor_present()
end
# and the same for :create, :update

policy action_type(:read) do
  authorize_if actor_present()
end
# and the same for :create, :update

I'd like to think that 3.7.0 wouldn't introduce a change in the policies logic but I'm very open to it providing improved implementations that catch any of my stupid mistakes 🙃 A self-contained reproduction: https://github.com/carlgleisner/policy_repro

GitHub

GitHub - carlgleisner/policy_repro

Contribute to carlgleisner/policy_repro development by creating an account on GitHub.

Solution:

@Carl please try main

Jump to solution

7 Replies

ZachDaniel•2mo ago

@Carl can you update to 3.7.1 please?

CarlOP•2mo ago

I made the repro with 3.7.1 already 🫡

ZachDaniel•2mo ago

Actually this may just be a bug

CarlOP•2mo ago

Had a feeling but with respect to you I always assume it's on my end 🙂

ZachDaniel•2mo ago

Okay, I have a lead Luckily this particular issue would only ever lead to getting different kind of error on forbidden, not any kind of security issue

Solution

ZachDaniel•2mo ago

@Carl please try main

CarlOP•2mo ago

Confirmed the fix and it works like a charm ✅ Thanks Zach! https://github.com/carlgleisner/policy_repro/commit/bb1084202f4847a41711e08b9ec79a4100e4b2fe

GitHub

Confirm Zach's bug fix · carlgleisner/policy_repro@bb10842

Gaming

Programming

Mixing read action in `action_type` policy condition with other types; Error instead of filtering

Did you find this page helpful?