sezaru

sezaru

Ash FilterCheck policy for read and create/update/destroy actions

I have this policy that I use to identify if the user is himself or not:

defmodule Core.Ash.Policies.Self do
  @moduledoc false

  use Ash.Policy.FilterCheck

  @impl Ash.Policy.Check
  def describe(opts) do
    field = Keyword.get(opts, :field, :id)

    "record #{field} matches actor id"
  end

  @impl Ash.Policy.FilterCheck
  def filter(_actor, _context, opts) do
    field = Keyword.get(opts, :field, :id)

    expr(^ref(field) == ^actor(:id))
  end
end

This works fine for read actions, but it will fail for create/update/destroy actions. To fix that I made these changes:

defmodule Core.Ash.Policies.Self do
  @moduledoc false

  use Ash.Policy.FilterCheck

  defoverridable strict_check: 3

  @impl Ash.Policy.Check
  def describe(opts) do
    field = Keyword.get(opts, :field, :id)

    "record #{field} matches actor id"
  end

  @impl Ash.Policy.FilterCheck
  def filter(_actor, _context, opts) do
    field = Keyword.get(opts, :field, :id)

    expr(^ref(field) == ^actor(:id))
  end

  @impl Ash.Policy.Check
  def strict_check(actor, %{changeset: %Ash.Changeset{action_type: :create} = changeset}, opts) do
    field = Keyword.get(opts, :field, :id)

    {:ok, Ash.Changeset.get_attribute(changeset, field) == actor.id}
  end

  def strict_check(actor, %{changeset: %Ash.Changeset{} = changeset}, opts) do
    field = Keyword.get(opts, :field, :id)

    {:ok, Ash.Changeset.get_data(changeset, field) == actor.id}
  end

  def strict_check(actor, authorizer, opts) do
    super(actor, authorizer, opts)
  end
end

Now it seems to work fine, but I’m not sure if this is the best way to do that. Any thoughts?

Most Liked

zachdaniel

zachdaniel

Creator of Ash

they should work for update/destroy actions, but not for create actions. I would not suggest using FilterCheck and overriding strict_check, because there are callbacks you need for your version to work consistently around atomic updates. You would want to rework this as a full Ash.Policy.Check module.

I don’t really see how you can have an actor that is creating themselves, but assuming they were creating something else and you wanted to check ownership, you could do:

policy_group some_shared_condition() do
  policy action_type(:create) do
    authorize_if relating_to_actor(:owner)
  end

  policy action_type([:read, :update, :destroy]) do
    authorize_if relates_to_actor_via(:owner)
  end
end

Where Next?

Popular in Questions Top

New
siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
vac
Hi, I’m quite new in Elixir and I’m trying to format a string to a PEM format. I have the certificate value like MIIDBTCCAe2...... and I...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

We're in Beta

About us Mission Statement