rapidfsub
Empty update action with policies?
Here is a test code about my question.
https://github.com/rapidfsub/sonet/blob/develop/test/sonet_lib/ash/policies/common_test.exs#L92
And here is a resource code about my question.
https://github.com/rapidfsub/sonet/blob/develop/test/support/lib/sonet_lib/seven_eleven/product.ex
Brief overview about my test
- resource: Store, Inventory, Product
- actor: Customer
- actions:
Store.purchasecallsInventory.purchasethrumanage_relationship.
Inventory.purchasecallsProduct.purchasethrumanage_relationship. - policies:
Store.purchasechecks open and close time.
Inventory.purchasechecks inventory count.
Product.purchasechecks customer’s age.
Question
Product.purchase update action is an empty action with policies.
Even if it does nothing, but I want to check policies always.
-
With
require_atomic? falsein action, always check policies.
Without it, never check policies. Is this intended behavior? -
Using
require_atomic? falseto force policy check is weird,
and I foundaccess_type :strictforces policy check.
Empty action withaccess_type :filterskips policy check.
Is this intended behavior?
+ small questions (not related to content)
- How can I auto generate
postgres schemamigration? Should I write it manually?
Most Liked
zachdaniel
Okay, I’ve identified the issue. It’s a very specific edge case. Its “skipping” the policy check in the case that an atomic action would induce no changes, however it’s important to note that it only does that when it is explicitly requested that no fields be updated (regardless of their initial value). So a very rare case (to call an update action that statically will not update any fields).
Aside from it being rare, I would not classify this as a security vulnerability because you can already see the record (thats how you’d be updating it in this way), and if an update were to actually happen, it would have been prevented.
Still, its confusing and problematic behavior, especially because it “presents” as if policies are being skipped, which is not a good thing.
zachdaniel
Fixed in ash_postgres version 2.4.10
zachdaniel
Fixed in 2.4.11 of ash_postgres.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








