Policy failure results in raised, unhandled error in ash_graphql update

I’m trying to upgrade from Ash 2 to 3, and I’m stumped on restoring the behavior of one of my ash_graphql mutations. It’s an update mutation that defines a read_only :current_actor, because the current actor is what is being updated. Basically, the customer needs to update their own customer record. @zachdaniel helped me come up with this solution originally, but for one case, it doesn’t work anymore. It’s the case where there is missing or invalid auth token in the GraphQL request. The GraphQL response should have an error that says the request is forbidden, but it returns the “Something went wrong” generic error instead.

The ash_graphql mutation looks like this:

update :update_customer_registration, :update_customer_registration do
  identity false
  read_action :current_actor
end

The :current_actor action looks like this:

read :current_actor do
  get? true
  manual CurrentActorRead
end

And CurrentActorRead looks like this:

defmodule CurrentActorRead do
  use Ash.Resource.ManualRead

  @impl true
  def read(_, _, _, %{actor: actor}) when not is_nil(actor) do
    {:ok, [actor]}
  end

  def read(_, _, _, _), do: {:ok, []}
end

When I run the test case where the auth token is invalid, this is in the output:

19:21:55.947 request_id=F-AbhQRDHA7dOdEAAZTB [warning] Corp.Customers.Customer.current_actor


Policy Breakdown
  Policy | 🔎:
    condition: action in [:update_customer_registration, :current_actor, :get_customer_self]    
    authorize if: actor.__struct__ == Corp.Customers.Customer | ✘ | 🔎
19:21:55.954 request_id=F-AbhQRDHA7dOdEAAZTB [error] ba677cf1-83eb-4d29-a77d-20784dc8faa5: Exception raised while resolving query.

** (Ash.Error.Forbidden) Forbidden Error

* forbidden:

Corp.Customers.Customer.current_actor


Policy Breakdown
  Policy | 🔎:
    condition: action in [:update_customer_registration, :current_actor, :get_customer_self]    
    authorize if: actor.__struct__ == Corp.Customers.Customer | ✘ | 🔎
  (elixir 1.16.1) lib/process.ex:860: Process.info/2

The policy failure is raising an error, which is not getting handled. It seems to be the right kind of error, but the way its propagated to the response is wrong. And by the way, the happy path case works fine.

Hmmmmm…is there a stack trace in the logs/raised error?

I created an ash_graph issue that might be the cause.

Perfect, will take a look tomorrow.

This is now resolved.

1 Like