ash_graphql update without authorizing the read action
I have a user ash resource (not using ash_authentication here) whose read action is gated by policies. I'm adding a reset_password action, which will take a reset token we emailed to the user and their new password, and if the token matches, will update their password (all of this via ash_graphql from an SPA).
Because of the nature of this workflow, there will necessarily be no actor present when this action is called. In direct elixir code (such as in unit tests), this works great:
but via graphql mutation, this becomes an issue because ash_graphql uses the resource's read action, which is gated by policies., so the read phase of the graphql transaction fails because it is filtering based on the actor (which does not exist here).
I'm wondering if it's possible to disable authorization on just the read action for a graphql call? Or is my only option in this case to create a separate read action w/ no policies and use
Because of the nature of this workflow, there will necessarily be no actor present when this action is called. In direct elixir code (such as in unit tests), this works great:
but via graphql mutation, this becomes an issue because ash_graphql uses the resource's read action, which is gated by policies., so the read phase of the graphql transaction fails because it is filtering based on the actor (which does not exist here).
I'm wondering if it's possible to disable authorization on just the read action for a graphql call? Or is my only option in this case to create a separate read action w/ no policies and use
read_action :unfiltered_read
The Elixir backend framework for unparalleled productivity. Declarative tools that let you stop wasting time. Use with Phoenix LiveView or build APIs in minutes for your front-end of choice.
2,193Members
Resources
Similar Threads
Was this page helpful?
