Unclear Ash Policy Behaviour

Ash Forum Ash Questions / Help
1

Hey, there

I’m trying to learn about Ash policies with this barebones resource.

defmodule ExampleApp.Resource do
  use Ash.Resource,
    authorizers: [Ash.Policy.Authorizer],
    data_layer: :embedded

  attributes do
    uuid_primary_key :id
    attribute :field, :string
  end

  policies do
    policy always() do
      forbid_if always()
    end
  end

  actions do
    defaults [:create, :read]
  end

  code_interface do
    define_for ExampleApp.Api
    define :create
  end
end

If my understanding is correct, this policy is guaranteed to fail.

Yet, ExampleApp.Resource.create/2 always succeeds when I test it.

Any help on how I can understand or resolve this?

PS: I’m currently on 2.21.8 in case this has anything to do with the 3.0 changes.

2

Are you providing actor or authorize? options when calling the action? in 2.x, the default authorization strategy is :when_requested, which means “when an actor is provided or when authorize?: true is given”.

So Resource.create(...) might not run authorization. In 3.0, the default has been changed to :by_default.

You can adopt this change in 2.x by adding this to your api module:

authorization do
  authorize :by_default
end
3

I completely forgot that I read that in the 3.0 changelog.

Thanks!

1 Like