moxley
Unwanted policy logging when using field_policies and an `update` action
My application is configured with config :ash, :policies, log_policy_breakdowns: true. And there is a resource that has field_policies defined. Some fields should only be accessible by an admin user, so the field policies are designed to enforce that restriction.
The problem is that when I run an :update_self action for a non-admin user, there are at least two warning log entries. I don’t want those showing up in the logs for this use case.
The log messages appear to come from the field policies, because they aren’t logged when I allow unrestricted access to all fields.
Here are the field policies:
field_policies do
field_policy_bypass @admin_only_fields, {ActiveMemberPolicy, []} do
authorize_if always()
end
field_policy_bypass @member_self_fields, actor_attribute_equals(:__struct__, __MODULE__) do
authorize_if expr(id == ^actor(:id))
forbid_if always()
end
field_policy @any_member_fields do
authorize_if {ActiveMemberPolicy, []}
end
end
Here’s the update action code:
# :name is a field that can be updated by the actor, if the record _is_ the actor.
attrs = %{name: "New Name"}
member =
member
|> Ash.Changeset.new()
|> Ash.Changeset.for_update(:update_self, attrs, actor: member)
|> GF.Ash.Api.update!()
And here are the log entries:
12:12:49.195 [warning] GF.Members.Member.update_self
12:12:49.213 [warning] GF.Members.Member.read
In addition, this :self_update action is behind an ash_graphql mutation. The log messages should not appear when that’s called either.
Most Liked
zachdaniel
Field policies are only applied to reading fields, not updating fields. To write policies around changing fields those go in regular policies, i.e
policy changing(:role) do
....
end
moxley
Thanks @zachdaniel, I will investigate this further, then likely open an issue.
moxley
With the latest fixes to Ash, this is now resolved.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









