sezaru

sezaru

Ash FilterCheck policy for read and create/update/destroy actions

I have this policy that I use to identify if the user is himself or not:

defmodule Core.Ash.Policies.Self do
  @moduledoc false

  use Ash.Policy.FilterCheck

  @impl Ash.Policy.Check
  def describe(opts) do
    field = Keyword.get(opts, :field, :id)

    "record #{field} matches actor id"
  end

  @impl Ash.Policy.FilterCheck
  def filter(_actor, _context, opts) do
    field = Keyword.get(opts, :field, :id)

    expr(^ref(field) == ^actor(:id))
  end
end

This works fine for read actions, but it will fail for create/update/destroy actions. To fix that I made these changes:

defmodule Core.Ash.Policies.Self do
  @moduledoc false

  use Ash.Policy.FilterCheck

  defoverridable strict_check: 3

  @impl Ash.Policy.Check
  def describe(opts) do
    field = Keyword.get(opts, :field, :id)

    "record #{field} matches actor id"
  end

  @impl Ash.Policy.FilterCheck
  def filter(_actor, _context, opts) do
    field = Keyword.get(opts, :field, :id)

    expr(^ref(field) == ^actor(:id))
  end

  @impl Ash.Policy.Check
  def strict_check(actor, %{changeset: %Ash.Changeset{action_type: :create} = changeset}, opts) do
    field = Keyword.get(opts, :field, :id)

    {:ok, Ash.Changeset.get_attribute(changeset, field) == actor.id}
  end

  def strict_check(actor, %{changeset: %Ash.Changeset{} = changeset}, opts) do
    field = Keyword.get(opts, :field, :id)

    {:ok, Ash.Changeset.get_data(changeset, field) == actor.id}
  end

  def strict_check(actor, authorizer, opts) do
    super(actor, authorizer, opts)
  end
end

Now it seems to work fine, but I’m not sure if this is the best way to do that. Any thoughts?

Most Liked

zachdaniel

zachdaniel

Creator of Ash

they should work for update/destroy actions, but not for create actions. I would not suggest using FilterCheck and overriding strict_check, because there are callbacks you need for your version to work consistently around atomic updates. You would want to rework this as a full Ash.Policy.Check module.

I don’t really see how you can have an actor that is creating themselves, but assuming they were creating something else and you wanted to check ownership, you could do:

policy_group some_shared_condition() do
  policy action_type(:create) do
    authorize_if relating_to_actor(:owner)
  end

  policy action_type([:read, :update, :destroy]) do
    authorize_if relates_to_actor_via(:owner)
  end
end

Where Next?

Popular in Questions Top

siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New

Other popular topics Top

sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 42920 311
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36128 110
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement