I recently implemented access control in a Ruby app. The approach would be similar to how I’d go about it in Elixir. We used an access control list model with a database table per resource. So x_acls y_acls, etc. Each access to the particular object would either verify access with a database lookup, or provide a list query with a join (so data you can’t access isn’t returned). We had various access levels, so used a bit field for that.
The implementation was pretty much what you’d expect based on the above. However, the most important thing for us was knowing that every access to the object was properly verified. We used monkey patching to SQL execution to verify that.
In ecto, you could use the prepare query callback on repo. I would verify that the query has the proper information included in it, or allow a process-wide bypass that serves as a “we verified this as engineers” escape hatch.
