ash_graphql update without authorizing the read action
I have a user ash resource (not using ash_authentication here) whose read action is gated by policies. I'm adding a reset_password action, which will take a reset token we emailed to the user and their new password, and if the token matches, will update their password (all of this via ash_graphql from an SPA).
Because of the nature of this workflow, there will necessarily be no actor present when this action is called. In direct elixir code (such as in unit tests), this works great:
but via graphql mutation, this becomes an issue because ash_graphql uses the resource's read action, which is gated by policies., so the read phase of the graphql transaction fails because it is filtering based on the actor (which does not exist here).
I'm wondering if it's possible to disable authorization on just the read action for a graphql call? Or is my only option in this case to create a separate read action w/ no policies and use
Because of the nature of this workflow, there will necessarily be no actor present when this action is called. In direct elixir code (such as in unit tests), this works great:
but via graphql mutation, this becomes an issue because ash_graphql uses the resource's read action, which is gated by policies., so the read phase of the graphql transaction fails because it is filtering based on the actor (which does not exist here).
I'm wondering if it's possible to disable authorization on just the read action for a graphql call? Or is my only option in this case to create a separate read action w/ no policies and use
read_action :unfiltered_read or something?
