43 replies

Read action return forbidden instead of filtering

Ash🔒Policies

I have a resource, looking like

defmodule MyApp.Foo.Bar
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: AshPostgres.DataLayer,
    domain: MyApp.Foo,
    notifiers: [
      Ash.Notifier.PubSub
    ]

  actions do
    read :read do
      # set up some filters/pagination
    end
  end

  policies do
    policy action_type(:read) do
      authorize_if {MyApp.FilterCheck1}
      authorize_if {MyApp.FilterCheck2}
      authorize_if {MyApp.FilterCheck3}
    end
  end
end

defmodule MyApp.Foo.Bar
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: AshPostgres.DataLayer,
    domain: MyApp.Foo,
    notifiers: [
      Ash.Notifier.PubSub
    ]

  actions do
    read :read do
      # set up some filters/pagination
    end
  end

  policies do
    policy action_type(:read) do
      authorize_if {MyApp.FilterCheck1}
      authorize_if {MyApp.FilterCheck2}
      authorize_if {MyApp.FilterCheck3}
    end
  end
end

Now, I am doing a query

Bar.read(%{}, actor: my_user)

Bar.read(%{}, actor: my_user)

I had expected this to return

[]

[]

, as

my_user

my_user

cannot see any of the current values, due to the policies. However, I am getting a forbidden:

%Ash.Error.Forbidden{bread_crumbs: ["Error returned from: MyApp.Foo.Bar.read"],  query: "#Query<>",  errors: [%Ash.Error.Forbidden.Policy{...}]}

%Ash.Error.Forbidden{bread_crumbs: ["Error returned from: MyApp.Foo.Bar.read"],  query: "#Query<>",  errors: [%Ash.Error.Forbidden.Policy{...}]}

In the error, I can see that the action is a filter:

Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true

Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true

I have no clue why it gave a forbidden. Can someone help me with this (perhaps even suggesting what to look for?)

Ash Framework•3mo ago•

43 replies

Aron Zwaan

Read action return forbidden instead of filtering

Ash🔒Policies

I have a resource, looking like

defmodule MyApp.Foo.Bar
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: AshPostgres.DataLayer,
    domain: MyApp.Foo,
    notifiers: [
      Ash.Notifier.PubSub
    ]

  actions do
    read :read do
      # set up some filters/pagination
    end
  end

  policies do
    policy action_type(:read) do
      authorize_if {MyApp.FilterCheck1}
      authorize_if {MyApp.FilterCheck2}
      authorize_if {MyApp.FilterCheck3}
    end
  end
end

defmodule MyApp.Foo.Bar
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: AshPostgres.DataLayer,
    domain: MyApp.Foo,
    notifiers: [
      Ash.Notifier.PubSub
    ]

  actions do
    read :read do
      # set up some filters/pagination
    end
  end

  policies do
    policy action_type(:read) do
      authorize_if {MyApp.FilterCheck1}
      authorize_if {MyApp.FilterCheck2}
      authorize_if {MyApp.FilterCheck3}
    end
  end
end

Now, I am doing a query

Bar.read(%{}, actor: my_user)

Bar.read(%{}, actor: my_user)

I had expected this to return

[]

[]

, as

my_user

my_user

cannot see any of the current values, due to the policies. However, I am getting a forbidden:

%Ash.Error.Forbidden{bread_crumbs: ["Error returned from: MyApp.Foo.Bar.read"],  query: "#Query<>",  errors: [%Ash.Error.Forbidden.Policy{...}]}

%Ash.Error.Forbidden{bread_crumbs: ["Error returned from: MyApp.Foo.Bar.read"],  query: "#Query<>",  errors: [%Ash.Error.Forbidden.Policy{...}]}

In the error, I can see that the action is a filter:

Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true

Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true

I have no clue why it gave a forbidden. Can someone help me with this (perhaps even suggesting what to look for?)

Read action return forbidden instead of filtering

Similar Threads

Read action return forbidden instead of filtering

Similar Threads

Similar Threads

Similar Threads