Authorizer Policies: Whats the difference....?

What’s the difference between a simple policy on a resource that is:

policy action_type(:create) do
  description "Only admins can create surveys"
  authorize_if actor_attribute_equals(:admin?, true)
  forbid_if always()
end

as compared to

policy action_type(:create) do
  description "Only admins can create surveys"
  forbid_unless actor_attribute_equals(:admin?, true)
end

I had assumed that the latter would be the same as the former but less lines - but that doesn’t seem to be the case.

What else do I need to read on this topic?

Thanks
Martin

Policies forbid by default. So when following a policy from the top down, if nothing creates the :authorized result, then the policy is forbidden.

What that means for your first policy is:

policy action_type(:create) do
  description "Only admins can create surveys"
  authorize_if actor_attribute_equals(:admin?, true)
  #  forbid_if always() <- this is not necessary
end

What that means for your second policy is:

policy action_type(:create) do
  description "Only admins can create surveys"
  forbid_unless actor_attribute_equals(:admin?, true)
  # Nothing will ever produce `:authorized` here, so this policy will never pass.
end

The policies guide explains how policies are evaluated, expanding on these concepts.

Makes sense - so a authorize_if always() after the forbid would work in the second case.

Thanks for the reply.

1 Like