rapidfsub

rapidfsub

Empty update action with policies?

Here is a test code about my question.
https://github.com/rapidfsub/sonet/blob/develop/test/sonet_lib/ash/policies/common_test.exs#L92

And here is a resource code about my question.
https://github.com/rapidfsub/sonet/blob/develop/test/support/lib/sonet_lib/seven_eleven/product.ex

Brief overview about my test

  • resource: Store, Inventory, Product
  • actor: Customer
  • actions:
    Store.purchase calls Inventory.purchase thru manage_relationship.
    Inventory.purchase calls Product.purchase thru manage_relationship.
  • policies:
    Store.purchase checks open and close time.
    Inventory.purchase checks inventory count.
    Product.purchase checks customer’s age.

Question

Product.purchase update action is an empty action with policies.
Even if it does nothing, but I want to check policies always.

  1. With require_atomic? false in action, always check policies.
    Without it, never check policies. Is this intended behavior?

  2. Using require_atomic? false to force policy check is weird,
    and I found access_type :strict forces policy check.
    Empty action with access_type :filter skips policy check.
    Is this intended behavior?

+ small questions (not related to content)

  1. How can I auto generate postgres schema migration? Should I write it manually?

Most Liked

zachdaniel

zachdaniel

Creator of Ash

Okay, I’ve identified the issue. It’s a very specific edge case. Its “skipping” the policy check in the case that an atomic action would induce no changes, however it’s important to note that it only does that when it is explicitly requested that no fields be updated (regardless of their initial value). So a very rare case (to call an update action that statically will not update any fields).

Aside from it being rare, I would not classify this as a security vulnerability because you can already see the record (thats how you’d be updating it in this way), and if an update were to actually happen, it would have been prevented.

Still, its confusing and problematic behavior, especially because it “presents” as if policies are being skipped, which is not a good thing.

zachdaniel

zachdaniel

Creator of Ash

Fixed in ash_postgres version 2.4.10

zachdaniel

zachdaniel

Creator of Ash

Fixed in 2.4.11 of ash_postgres.

Where Next?

Popular in Questions Top

Tee
can someone please explain to me how Enum.reduce works with maps
New
Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
JulienCorb
I am trying to implement my new.html.eex file to create new posts on my website. new.html.eex: <h1>Create Post</h1> <%= ...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New

Other popular topics Top

skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30877 112
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
Qqwy
Update: How to use the Blogs & Podcasts section You can post links to your blog posts or podcasts either in one of the Official Blog...
3271 126479 1222
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

We're in Beta

About us Mission Statement