moxley

moxley

Unwanted policy logging when using field_policies and an `update` action

My application is configured with config :ash, :policies, log_policy_breakdowns: true. And there is a resource that has field_policies defined. Some fields should only be accessible by an admin user, so the field policies are designed to enforce that restriction.

The problem is that when I run an :update_self action for a non-admin user, there are at least two warning log entries. I don’t want those showing up in the logs for this use case.

The log messages appear to come from the field policies, because they aren’t logged when I allow unrestricted access to all fields.

Here are the field policies:

  field_policies do
    field_policy_bypass @admin_only_fields, {ActiveMemberPolicy, []} do
      authorize_if always()
    end

    field_policy_bypass @member_self_fields, actor_attribute_equals(:__struct__, __MODULE__) do
      authorize_if expr(id == ^actor(:id))
      forbid_if always()
    end

    field_policy @any_member_fields do
      authorize_if {ActiveMemberPolicy, []}
    end
  end

Here’s the update action code:

# :name is a field that can be updated by the actor, if the record _is_ the actor.
attrs = %{name: "New Name"}

member =
  member
  |> Ash.Changeset.new()
  |> Ash.Changeset.for_update(:update_self, attrs, actor: member)
  |> GF.Ash.Api.update!()

And here are the log entries:

12:12:49.195 [warning] GF.Members.Member.update_self
12:12:49.213 [warning] GF.Members.Member.read

In addition, this :self_update action is behind an ash_graphql mutation. The log messages should not appear when that’s called either.

Most Liked

zachdaniel

zachdaniel

Creator of Ash

Field policies are only applied to reading fields, not updating fields. To write policies around changing fields those go in regular policies, i.e

policy changing(:role) do
  ....
end
moxley

moxley

Thanks @zachdaniel, I will investigate this further, then likely open an issue.

moxley

moxley

With the latest fixes to Ash, this is now resolved.

Where Next?

Popular in Questions Top

chokchit
** (DBConnection.ConnectionError) connection not available and request was dropped from queue after 2733ms. You can configure how long re...
New
New
Kurisu
For example for a current url like http://localhost:4000/cosmetic/products?_utf8=✓&query=perfume&page=2, I would like to get: ...
New
qwerescape
Is there a way to get the call stack or stack trace at any point in the code? Not from exceptions, but an expression that returns how the...
New
JulienCorb
I am trying to implement my new.html.eex file to create new posts on my website. new.html.eex: <h1>Create Post</h1> <%= ...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Other popular topics Top

hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
chrismccord
As promised, the first release candidate of Phoenix 1.3.0 is out! This release focuses on code generators with improved project structure...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
greenz1
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement