Ash.Policy.SimpleCheck behaviour (ash v3.4.68)

View Source

A type of check that operates only on request context, never on the data

Define match?/3, which gets the actor, request context, and opts, and returns true or false

Example

This is a simple check that checks if the user is changing anything other than the provided list.

defmodule ChangingNothingExcept do
  use Ash.Policy.SimpleCheck

  def match?(_actor, %{subject: %Ash.Changeset{} = changeset}, opts) do
    allowed = opts[:attributes]
    {:ok, Enum.all?(Map.keys(changeset.attributes), &(&1 in allowed))}
  end

  def match?(_, _, _), do: true
end

You could then use this like

policy actor_attribute_equals(:role, :foobar) do
  authorize_if {ChangingNothingExcept, attributes: [:foo, :bar]}
end

Summary

Types

actor()
context()
options()

Callbacks

match?(actor, context, options)

Whether or not the request matches the check

Types

actor()

@type actor() :: Ash.Policy.Check.actor()

context()

@type context() :: Ash.Policy.Authorizer.t()

options()

@type options() :: Keyword.t()

Callbacks

match?(actor, context, options)

@callback match?(actor(), context(), options()) ::
  boolean() | {:ok, boolean()} | {:error, term()}

Whether or not the request matches the check