43 replies

Read action return forbidden instead of filtering

Ash🔒Policies

I have a resource, looking like

defmodule MyApp.Foo.Bar
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: AshPostgres.DataLayer,
    domain: MyApp.Foo,
    notifiers: [
      Ash.Notifier.PubSub
    ]

  actions do
    read :read do
      # set up some filters/pagination
    end
  end

  policies do
    policy action_type(:read) do
      authorize_if {MyApp.FilterCheck1}
      authorize_if {MyApp.FilterCheck2}
      authorize_if {MyApp.FilterCheck3}
    end
  end
end

defmodule MyApp.Foo.Bar
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: AshPostgres.DataLayer,
    domain: MyApp.Foo,
    notifiers: [
      Ash.Notifier.PubSub
    ]

  actions do
    read :read do
      # set up some filters/pagination
    end
  end

  policies do
    policy action_type(:read) do
      authorize_if {MyApp.FilterCheck1}
      authorize_if {MyApp.FilterCheck2}
      authorize_if {MyApp.FilterCheck3}
    end
  end
end

defmodule MyApp.Foo.Bar
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: AshPostgres.DataLayer,
    domain: MyApp.Foo,
    notifiers: [
      Ash.Notifier.PubSub
    ]

  actions do
    read :read do
      # set up some filters/pagination
    end
  end

  policies do
    policy action_type(:read) do
      authorize_if {MyApp.FilterCheck1}
      authorize_if {MyApp.FilterCheck2}
      authorize_if {MyApp.FilterCheck3}
    end
  end
end

defmodule MyApp.Foo.Bar
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: AshPostgres.DataLayer,
    domain: MyApp.Foo,
    notifiers: [
      Ash.Notifier.PubSub
    ]

  actions do
    read :read do
      # set up some filters/pagination
    end
  end

  policies do
    policy action_type(:read) do
      authorize_if {MyApp.FilterCheck1}
      authorize_if {MyApp.FilterCheck2}
      authorize_if {MyApp.FilterCheck3}
    end
  end
end

Now, I am doing a query

Bar.read(%{}, actor: my_user)

Bar.read(%{}, actor: my_user)

Bar.read(%{}, actor: my_user)

Bar.read(%{}, actor: my_user)

I had expected this to return

[]

[]

, as

my_user

my_user

my_user

my_user cannot see any of the current values, due to the policies. However, I am getting a forbidden:

%Ash.Error.Forbidden{bread_crumbs: ["Error returned from: MyApp.Foo.Bar.read"],  query: "#Query<>",  errors: [%Ash.Error.Forbidden.Policy{...}]}

%Ash.Error.Forbidden{bread_crumbs: ["Error returned from: MyApp.Foo.Bar.read"],  query: "#Query<>",  errors: [%Ash.Error.Forbidden.Policy{...}]}

%Ash.Error.Forbidden{bread_crumbs: ["Error returned from: MyApp.Foo.Bar.read"],  query: "#Query<>",  errors: [%Ash.Error.Forbidden.Policy{...}]}

%Ash.Error.Forbidden{bread_crumbs: ["Error returned from: MyApp.Foo.Bar.read"],  query: "#Query<>",  errors: [%Ash.Error.Forbidden.Policy{...}]}

In the error, I can see that the action is a filter:

Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true

Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true

Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true

Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true

I have no clue why it gave a forbidden. Can someone help me with this (perhaps even suggesting what to look for?)

Read action return forbidden instead of filtering

Similar Threads

Similar Threads

Similar Threads