Unclear Ash Policy Behaviour

Hey, there

I’m trying to learn about Ash policies with this barebones resource.

defmodule ExampleApp.Resource do
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: :embedded

  attributes do
    uuid_primary_key :id
    attribute :field, :string

  policies do
    policy always() do
      forbid_if always()

  actions do
    defaults [:create, :read]

  code_interface do
    define_for ExampleApp.Api
    define :create

If my understanding is correct, this policy is guaranteed to fail.

Yet, ExampleApp.Resource.create/2 always succeeds when I test it.

Any help on how I can understand or resolve this?

PS: I’m currently on 2.21.8 in case this has anything to do with the 3.0 changes.

Are you providing actor or authorize? options when calling the action? in 2.x, the default authorization strategy is :when_requested, which means “when an actor is provided or when authorize?: true is given”.

So Resource.create(...) might not run authorization. In 3.0, the default has been changed to :by_default.

You can adopt this change in 2.x by adding this to your api module:

authorization do
  authorize :by_default

I completely forgot that I read that in the 3.0 changelog.


1 Like