What’s the difference between a simple policy on a resource that is:
policy action_type(:create) do
description "Only admins can create surveys"
authorize_if actor_attribute_equals(:admin?, true)
forbid_if always()
end
as compared to
policy action_type(:create) do
description "Only admins can create surveys"
forbid_unless actor_attribute_equals(:admin?, true)
end
I had assumed that the latter would be the same as the former but less lines - but that doesn’t seem to be the case.
What else do I need to read on this topic?
Thanks
Martin
Policies forbid by default. So when following a policy from the top down, if nothing creates the :authorized
result, then the policy is forbidden.
What that means for your first policy is:
policy action_type(:create) do
description "Only admins can create surveys"
authorize_if actor_attribute_equals(:admin?, true)
# forbid_if always() <- this is not necessary
end
What that means for your second policy is:
policy action_type(:create) do
description "Only admins can create surveys"
forbid_unless actor_attribute_equals(:admin?, true)
# Nothing will ever produce `:authorized` here, so this policy will never pass.
end
The policies guide explains how policies are evaluated, expanding on these concepts.
Makes sense - so a authorize_if always() after the forbid would work in the second case.
Thanks for the reply.
1 Like