Hopefully a simple one where I’m just not understanding the documentation properly between policies and AshJsonAPI.

I have a resource with two attributes where we use one of the attributes to reference a value that is held in our Actor struct. Note our “user” isn’t captured as a resource in Ash and we’re instead ad-hoc creating the Actor struct in a plug further up the pipeline.

attribute :name, :string
attribute :owner_id, :string

This resource is exposed via AshJsonAPI and I’d like to put some access restrictions on the :create, :update, and :destroy actions where clients shouldn’t be allowed to create, update, or destroy records that they don’t “own”.

policy action_type([:update, :destroy]) do
   forbid_unless expr(owner_id == ^actor(:name))
end

This seemingly works, however it returns a 404 instead of a 403 when a policy isn’t allowed for :update and :destroy. I’m not sure if that’s expected or not, but I thought :update and :destroy would yield the forbidden error rather than the “filtering” 404. Further, if I update the :access_type to force :strict mode then the policy never authorizes anything even when the expr should be returning true (this one definitely confuses me). For a little more context the :read action is unrestricted so anyone can see anyone else’s records – they’re just not allowed to update/delete them.

policy action_type([:update, :destroy]) do
   access_type :strict
   authorize_if expr(owner == ^actor(:name))
end

Trying to figure out if I’m missing something, if the above behavior is an actual bug, or maybe I’m playing way out in left field somewhere.