Policies to check ownership

adrian · January 24, 2025, 10:30am

Hello,

I have read the beta version of the book Ash Framework. It’s something Ash needed! Congratulations @zachdaniel and @sevenseacat , I appreciate it. I’m looking forward to the new chapters!

After reading chapter 6 about Authorization, I have a question.

Imagine a typical domain where we have:

Business (The tenant, everything is related to a business)
- has many User. They are managers. Each manager can modify data related to the business.
Posts: Belong to business. The tenant is the business, and any of the managers can be the actor in a field like created_by
Comments: Any user can create comments. The actor is the user that created the comment

What I want to check:

Only business managers can update/delete comments

I see that the check actor_attribute_equals is very handy, but I need to check the actor following relationships on the instance being updated/deleted:

actor in (Comment -> Post -> Business -> managers)

What is the recommended Ash way to create a policy like this one?

Thanks!

sevenseacat · January 24, 2025, 11:13am

Thank you so much, I’m glad you’ve found it useful!

The built in policy check relates_to_actor_via might be what you’re after?

adrian · January 24, 2025, 1:20pm

Yes, I think that’s what I need! I don’t know how I missed that.

A couple more questions:

Does the check load the relationships, or is it something we have to do before using the check?
If the Users are related to Business using an intermediate M2M table with the field :role. Is it possible to check the role of the user to make sure that only :admin users can pass the check?

Thanks!

zachdaniel · January 24, 2025, 1:22pm

The check happens in the database query, no need to load anything

if you need intermediate checks, you can use exists

authorize_if expr(exists(business.role, role == :admin and user_id == ^actor(:id)))