Should “tier limits” live in policies or actions?

I’m building a saas app and I will have multiple tiers of users (like most saas). There will be different limits depending on what type of tier the user is. As an example if you are free user you can only view your latest 10 messages, if you are standard latest 100 and premium you can read all. That is just an example of a restriction based on tier.

My question now is if this logic should live in actions or in policies? Are policies only meant for more “security” stuff like making sure users can only see their own stuff or can we use policies for things like enforcing tier limits?

If policies can be used for tier limits then I can’t really figure out how to put for example a limit or order by in a policy expression. I tried this but does not work:

  def filter(actor, authorizer, opts) do
    case actor do
      %{account_type: :free} -> expr(project.members == ^actor(:id) && limit(1))
      _else -> expr(project.members == ^actor(:id) && limit(100))
    end
  end

In your case, they will need to be applied in actions. Policies do not currently have a way to add a limit to a query.

This is in a bit of a gray area in terms of policies v action-logic, but I’d suggest to favor putting things in actions when you arrive at that kind of gray area

Thanks! Hope it might be added in the future (because would be nice to just write everything in policies)!