Forbid all but one field using field policies

marmor157 · September 29, 2023, 5:18am

Hello, I need to forbid Anonymous actor access to all fields but id and status . Basically it’s needed for some calulcations but we don’t want him to have access to any other data. So I’ve tried using policies like this:

  field_policies do
    field_policy :status do
      authorize_if always()
    end

    field_policy :* do
      forbid_if Checks.IsAnonymousActor
      authorize_if always()
    end
  end

But this seems to not be working, probably because for status filed Ash checks policies from both status and :* . Is there any way to achieve that?

zachdaniel · September 29, 2023, 5:20am

All field policies that apply to a field must pass, so in that case yes both policies apply. You’d need to include a full list of all fields except for the one in question instead of using :*. I’m open to UX improvements there

marmor157 · September 29, 2023, 5:22am

Actually I’ve just came up with a solution

 field_policies do
    field_policy_bypass :status do
      authorize_if always()
    end

    field_policy :* do
      forbid_if Checks.IsAnonymousActor
      authorize_if always()
    end
  end

zachdaniel · September 29, 2023, 1:36pm

Clever using the bypass, I didn’t think of it.