Ash Policies: `nil` is not a Spark DSL module

Ash Forum Ash Questions / Help
,
1

I have a FilterCheck policy that looks like this:

use Ash.Policy.FilterCheck

 def filter(actor, context, options) do
    tenant_id = context.subject.tenant.id

    resource_name =
      options[:resource]
      |> to_string()
      |> String.split(".")
      |> List.last()

    expr(
      exists(
        MyApp.AccessRight,
        tenant_id == ^tenant_id and
          resource_name == ^resource_name and read == true)
      )
    )

    # dbg()
  end

and I use this policy in my resource this way:

  policies do
    policy action(:list_paginated) do
      authorize_if MyFilterCheckPolicy
    end
  end

and here is how I use the resource action in my LiveView:

Posts.list_paginated(actor: current_user, tenant: tenant)

The problem:
For some reason, this setup does not work; it raises this error:

[error] ** (ArgumentError) `nil` is not a Spark DSL module.

    nil.persisted(:data_layer)
    (spark 2.2.31) lib/spark/dsl/extension.ex:138: Spark.Dsl.Extension.persisted!/3
    (ash 3.4.21) lib/ash/filter/filter.ex:3734: Ash.Filter.do_hydrate_refs/2
    ... more stacktraces below

and interestingly, it works if I uncomment the dbg() call at the end of the policy (see code above).

How can I fix the above error?

2

exists does not take a resource it takes a relationship or relationship oath.

i.e exists(access_rights, ....

or

exists(access_rights.user, ...

Please open an issue describing that bad error output and I will look to make it clearer.

2 Likes
3

Thanks for the response.

I’m working together with Amos on this, so I just want to provide more context.

The reason why we put the module name there was we tried to use the tenant relationship, instead of relationship to the record policy is affecting. We’re trying to use the same policy for several types of resources that don’t have direct relationship to access_rights.

Is it possible to get the tenant from the context, and then get access_rights rows associated with it plus filter based on some additional conditions?

I’ve tried this but it didn’t work.

def filter(actor, context, options) do
  tenant =
    case context.query.tenant do
      %Tenant{} = tenant ->
        tenant

      _ ->
        tenant_id = String.replace(context.query.tenant, "tenant_", "")
        Ash.get!(Tenant, tenant_id)
    end

  resource_name =
    options[:resource]
    |> to_string()
    |> String.split(".")
    |> List.last()

  expr(
    exists(
      ^tenant.access_rights,
      resource_name == ^resource_name and
        read == true and
        exists(group.group_users, user_id == ^actor.id)
    )
  )
end
4

:thinking: You should be able to do something along those lines, yes. When you say it didn’t work, what do you mean?

5

I’ve had the same error.

I’ll try two things: manual relationships vs using lower-level Ash.Query functions and post the result.

6

Ah, sorry I just looked more closely. You can’t use exists with anything other than a relationship reference. ^value is not a relationship reference.

Here is the related issue for the improvement we’d like to make. Support resources as aggregate targets in expressions · Issue #939 · ash-project/ash · GitHub

So to do this logic that you want you’ll need to do the work entirely in the check module. and return {:ok, true | false}

1 Like
7

Since I needed to do a filter check instead of a simple check, I ended up with a manual relationship and with more knowledge about the powers of Ash. Mind getting blown every day… :exploding_head:

Thanks!

1 Like