AshGraphql response data is null, only when a particular policy is used

Ash Forum Ash Questions / Help
,
1

I’m running into a policy and AshGraphql problem, and it seems like a bug.

Here’s my GraphQL query:

query GetEvent2($id: ID!) {
  getEvent2(id: $id) {
    id
  }
}

It’s returning the following response:

%{"data" => %{"getEvent2" => nil}}

Here’s the policy debug log:

[debug] Successful authorization: GF.Events.Event2.read

Generated Filter:
invites.member_id == "BKDK97081LAQXMUJR"
Policy Breakdown
  member2: %{id: "BKDK97081LAQXMUJR"}

  Policy | 🔎:

    condition: action == :read

    authorize if: invites.member_id == "BKDK97081LAQXMUJR" | ✓ | 🔎

And here’s the policy definition:

    policy action :read do
      # authorize_if expr(is_public)
      # authorize_if expr(^actor(:status) == :active)
      authorize_if expr(invites.member_id == ^actor(:id))
    end

The primary resource is Event2, which has_many Invites. Each Invite has a member_id. The actor is a Member whose ID matches member_id.

If I use straight Ash.get!(Event2, event_id, actor: actor), that returns Event2 data.

If I uncomment those two other authorize_if lines, then modify the test setup to use either of them, the query returns the expected response data. It’s just that last authorize_if that seems to be tripping things up. What is different about it? Is it because it goes throug a has_many relationship?

I also tried opening up the :read policy on the Invite resource, to allow anyone to read that, and that didn’t help.

2

Try using

authorize_if expr(exists(invites, member_id == ^actor(:id)))

EDIT: not sure if its your issue or not, but if it is, the context for what may be happening is here:

https://hexdocs.pm/ash/policies.html

In the section on “using exists” (which I frustratingly cannot anchor link you directly to)

3

I tried that exists() expression earlier today, after reading that documentation. I just tried it again now, with the same result. Here’s the SQL from the logs, if you’re interested:

SELECT e0."id"
FROM "public"."events" AS e0
WHERE (e0."id" = $1)
  AND (e0."group_id" = $2)
  AND (
    EXISTS (
      SELECT 1
      FROM "events"."invites" AS si0
      WHERE (si0."member_id" = $3)
        AND (si0."group_id" = $4)
        AND (e0."id" = si0."event_id")
    )
  )

-- [469677, 970674, "V1KJW49URLTGJNFI8", 970674]
4

Hmm…that seems right? In terms of how the exists query should be run. Do you know where the group_id = $2 part of the query comes from?

5

The group_id is the tenant. That’s added automatically. The query looks correct. The policy passes (according to the logs). It’s just that the data returned from the GraphQL is empty.

6

:thinking: Is it possible to reproduce this w/o using AshGraphql? By calling an equivalent action under the hood? I’d be really surprised if somehow only the GraphQL was affected by policy filters in some way.

7

LIke this?

Yeah, it returned Event2 data, using the same test setup as the GraphQL test.

I’ll return to this tomorrow, and re-check the test, just to be sure.

8

It definitely seems like a bug somewhere, but I think its at the point where I’ll need to be able to reproduce it as nothing is really jumping out at me :cry:

9

I extracted the problem away from AshGraphql:

      result =
        GF.Events.Event2
        |> Ash.Query.for_read(:read)
        |> Ash.Query.filter(id == ^event.id)
        |> Ash.Query.select([:id])
        |> Ash.Query.set_tenant(ctx.group.id)
        |> Ash.read_first(actor: ctx.session_member)

      dbg(result)

This produces {:ok, nil}.

However, if I remove |> Ash.Query.set_tenant(ctx.group.id) from the expression, it returns the Event2 struct instead of nil.

10

Found the problem. The Invite didn’t have a group_id (tenant). It works now!

Thanks for working through this problem with me @zachdaniel!

1 Like