sodapopcan
Ensure actor can only create resource for themselves
The docs give this example of a policy:
policy action_type([:create, :update, :destroy]) do
authorize_if expr(owner_id == ^actor(:id))
end
This is in the context of a policy group. Using it throws an error that filter expressions cannot be used for creations. I also get if I do it outside a group:
policy action_type(:create) do
authorize_if expr(owner_id == ^actor(:id))
end
I read and understood the error message and it makes sense since there is no data yet for create, but how would you ensure that an actor can only create a resource for themselves?
I would like to do this:
MyApp.Items.create_item(%{
title: "New item",
user_id: user.id
},
actor: user
)
I’m also wondering more out of curiosity (even though I don’t want to do it this way) is there is a way to reference actor in action in change? For example, I tried to do this:
create :create do
accept [:title]
change set_attribute(:user_id, actor(:id))
end
though I see actor/1 is only available in expr (I think?)
Thanks!
Marked As Solved
zachdaniel
You actually can do what you described, but there is a more expressive builtin for it.
change relate_actor(:user)
And what it could look like done manually:
change fn changeset, context ->
Ash.Changeset.force_change_attribute(changeset, :user_id, context.actor.id)
end
Also Liked
zachdaniel
Oh, it’s very much possible. There are various ways you could do it.
policy :create do
authorize_if relating_to_actor(:user)
end
defmodule MyApp.Checks.SomeCustomCheck do
use Ash.Policy.SimpleCheck
def match?(actor, %{subject: changeset}, _) do
# arbitrary logic here
end
end
policy action_type(:create) do
authorize_if MyApp.Checks.SomeCustomCheck
end
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








