16 replies

Correct way to authorize create actions

Ash🔒Policies

I am developing a multi-tenant application in which my

Organization

Organization

tenant resource has a

has_many

has_many

relationship with my

Establishment

Establishment

resource. I've tried using this policy to authorize the creation of new establishments only if the actor is the owner (

belongs_to

belongs_to

User

User

rel in org)

policy action(:create_establishment) do
  description "Only the owner can create an establishment"
  authorize_if relates_to_actor_via([:organization, :owner])
end

policy action(:create_establishment) do
  description "Only the owner can create an establishment"
  authorize_if relates_to_actor_via([:organization, :owner])
end

But this traversal seems to work only for update and destroy actions. What should I do instead in this scenario?

I'm trying to implement a simple check using the tenant data passed in the scope, but it doesn't seem to be available in the callback context

defmodule Lamashka.PolicyChecks.OrganizationOwner do
  use Ash.Policy.SimpleCheck

  def describe(_opts), do: "actor must be owner of the organization"

  def match?(actor, context, _opts) do
    # not available
    context.tenant.owner_id == actor.id
  end
end

defmodule Lamashka.PolicyChecks.OrganizationOwner do
  use Ash.Policy.SimpleCheck

  def describe(_opts), do: "actor must be owner of the organization"

  def match?(actor, context, _opts) do
    # not available
    context.tenant.owner_id == actor.id
  end
end

Correct way to authorize create actions

Ash🔒Policies

I am developing a multi-tenant application in which my

Organization

Organization

tenant resource has a

has_many

has_many

relationship with my

Establishment

Establishment

resource. I've tried using this policy to authorize the creation of new establishments only if the actor is the owner (

belongs_to

belongs_to

User

User

rel in org)

policy action(:create_establishment) do
  description "Only the owner can create an establishment"
  authorize_if relates_to_actor_via([:organization, :owner])
end

policy action(:create_establishment) do
  description "Only the owner can create an establishment"
  authorize_if relates_to_actor_via([:organization, :owner])
end

defmodule Lamashka.PolicyChecks.OrganizationOwner do
  use Ash.Policy.SimpleCheck

  def describe(_opts), do: "actor must be owner of the organization"

  def match?(actor, context, _opts) do
    # not available
    context.tenant.owner_id == actor.id
  end
end

defmodule Lamashka.PolicyChecks.OrganizationOwner do
  use Ash.Policy.SimpleCheck

  def describe(_opts), do: "actor must be owner of the organization"

  def match?(actor, context, _opts) do
    # not available
    context.tenant.owner_id == actor.id
  end
end

Correct way to authorize create actions

Similar Threads

Correct way to authorize create actions

Similar Threads

Similar Threads

Similar Threads