Ensure actor can only create resource for themselves

sodapopcan · March 16, 2025, 3:59pm

The docs give this example of a policy:

policy action_type([:create, :update, :destroy]) do
  authorize_if expr(owner_id == ^actor(:id))
end

This is in the context of a policy group. Using it throws an error that filter expressions cannot be used for creations. I also get if I do it outside a group:

policy action_type(:create) do
  authorize_if expr(owner_id == ^actor(:id))
end

I read and understood the error message and it makes sense since there is no data yet for create, but how would you ensure that an actor can only create a resource for themselves?

I would like to do this:

MyApp.Items.create_item(%{
    title: "New item",
    user_id: user.id
  },
  actor: user
)

I’m also wondering more out of curiosity (even though I don’t want to do it this way) is there is a way to reference actor in action in change? For example, I tried to do this:

create :create do
  accept [:title]
  change set_attribute(:user_id, actor(:id))
end

though I see actor/1 is only available in expr (I think?)

Thanks!

zachdaniel · March 16, 2025, 4:11pm

You actually can do what you described, but there is a more expressive builtin for it.

change relate_actor(:user)

And what it could look like done manually:

change fn changeset, context -> 
  Ash.Changeset.force_change_attribute(changeset, :user_id, context.actor.id)
end

zachdaniel · March 16, 2025, 4:12pm

We should probably update those docs to remove :create from the example, could you open a PR or issue to track that?

sodapopcan · March 16, 2025, 4:15pm

D’oh, sorry, this was an RTFM failure (did not find relate_actor or realize that change takes a fun) that’s awesome.

Yep, I’m happy to open a PR to fix docs!

sodapopcan · March 16, 2025, 4:24pm

Oh wait I was a bit overzealous there.

First, I’ll add that yes my bad, change set_attribute(:user_id, actor(:id)) does work, I had a different error

Secondly, how would you ensure the actor matches the passed user id purely at the policy level? Is that just not possible right now?

zachdaniel · March 16, 2025, 4:43pm

Oh, it’s very much possible. There are various ways you could do it.

policy :create do
  authorize_if relating_to_actor(:user)
end

defmodule MyApp.Checks.SomeCustomCheck do
  use Ash.Policy.SimpleCheck

  def match?(actor, %{subject: changeset}, _) do
    # arbitrary logic here
  end
end

policy action_type(:create) do
  authorize_if MyApp.Checks.SomeCustomCheck
end

sodapopcan · March 16, 2025, 4:46pm

Ha, amazing. Ok, thank you. Need more careful RTFM on my side.