kamaroly

kamaroly

Ash Authorization: How to Permit Record Owners to Bypass Permission Check on Some Actions?

I’m trying to authorize actions in Ash Policy Authorizer while ensuring that the owner of a record (the person who created it) can always access or modify it. However, my current policy setup still results in a :forbidden error unless MyApp.Auth.Checks.Can passes.

Scenario:

  1. Each User has an Employee (Person) profile.
  2. A Person has many Leave Requests.
  3. A Person should be able to cancel their own Leave Requests, even if they don’t have the broader permissions granted by MyApp.Auth.Checks.Can.

Current Issue:

The following policy throws :forbidden unless MyApp.Auth.Checks.Can passes. I want the policy to allow access if either MyApp.Auth.Checks.Can or expr(person.user_id == ^actor(:id)) is true

  policies do
    policy action_type(:read) do
      description "Users with permission can read leave request or the request's owner."
      authorize_if MyApp.Auth.Checks.Can
      authorize_if expr(person.user_id == ^actor(:id))
    end

    policy action_type([:create, :update, :destroy]) do
      description "People with permission can ceate, update or destory"
      authorize_if MyApp.Auth.Checks.Can
      access_type :strict
    end

    policy action(:cancel) do
      description "A person can cancel a request belonging to him"
      authorize_if expr(person.user_id == ^actor(:id))
    end
  end

Expected Behavior:

  • Users with the correct permissions (MyApp.Auth.Checks.Can) should be able to manage leave requests.
  • The owner of a leave request (person.user_id == ^actor(:id)) should also be able to access or cancel their own requests, even without additional permissions.

How can I properly configure this policy so that the record owner is always authorized without requiring MyApp.Auth.Checks.Can to pass?

Additional details on the forbidden error

{:error, %Ash.Error.Forbidden{
  bread_crumbs: ["Error returned from: MyApp.TimeOffs.TimeOffRequest.cancel"],
  errors: [
    %Ash.Error.Forbidden.Policy{
      facts: %{
        {Ash.Policy.Check.Action, [action: [:cancel], access_type: :filter]} => true,
        {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => false,
        {Ash.Policy.Check.Expression, [expr: person.user_id == {:_actor, :id}, access_type: :filter]} => :unknown,
        {MyApp.Auth.Checks.Can, [access_type: :filter]} => false
      },
      actor: %MyApp.Auth.User{
        id: "0194dc51-62ac-70f7-9bc9-c7021121d463",
        email: "tester@example.com",
        current_tenant: "test_org"
      },
      subject: %Ash.Changeset{
        domain: MyApp.TimeOffs,
        action: :cancel,
        tenant: "test_org",
        attributes: %{status: :cancelled},
        data: %MyApp.TimeOffs.TimeOffRequest{
          id: "0194e540-be3a-7481-a88e-e4afe8c4124f",
          starts_at: ~D[2025-02-08],
          ends_at: ~D[2025-02-08],
          description: "Annual Leave",
          status: :pending
        }
      }
    }
  ]
}}

Marked As Solved

sevenseacat

sevenseacat

Author of Ash Framework

It sounds like you want to add another check to each of your policies, eg.

    policy action_type([:create, :update, :destroy]) do
      description "People with permission can ceate, update or destory"
      authorize_if MyApp.Auth.Checks.Can
      authorize_if expr(person.user_id == ^actor(:id))
      access_type :strict
    end

Policy checks cascade - if the first doesn’t pass, then the next one will be attempted.

By the by, there’s also the relates_to_actor_via which sounds like it would fit in here as well :slight_smile:

Also Liked

zachdaniel

zachdaniel

Creator of Ash

access_type :strict does not require all to pass. That just means that authorization results must be known before making the query. relates_to_actor_via requires access_type :filter (the default) because it filters the query.

kamaroly

kamaroly

Now I understand why with it was failing when access type is set to strict.

Thanks @zachdaniel

Where Next?

Popular in Questions Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
nobody
How to bind a phoenix app to a specific ip address? could not find anything about that, nowhere, unfortunately, but for me this is quite...
New
beno
I will often find my self writing things similar to: case some_value do nil -> something() "" -> something() _ -> somethi...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
yawaramin
In the Dialyzer docs ( dialyzer — OTP 29.0.2 (dialyzer 6.0.1) ), there is a way to turn off a specific warning for a function: -dialyzer...
New
jaysoifer
Is there a way to rollback a specific migration and only that one (“skipping” all the other ones)? Would mix ecto.rollback -v 200809061...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29603 241
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
greenz1
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement