View Source Ash.Policy.Authorizer (ash v3.4.46)
An authorization extension for ash resources.
To add this extension to a resource, add it to the list of authorizers
like so:
use Ash.Resource,
...,
authorizers: [
Ash.Policy.Authorizer
]
A resource can be given a set of policies, which are enforced on each call to a resource action.
For reads, policies can be configured to filter out data that the actor shouldn't see, as opposed to resulting in a forbidden error.
See the policies guide for practical examples.
Policies are solved/managed via a boolean satisfiability solver. To read more about boolean satisfiability, see this page: https://en.wikipedia.org/wiki/Boolean_satisfiability_problem. At the end of the day, however, it is not necessary to understand exactly how Ash takes your authorization requirements and determines if a request is allowed. The important thing to understand is that Ash may or may not run any/all of your authorization rules as they may be deemed unnecessary. As such, authorization checks should have no side effects. Ideally, the checks built-in to ash should cover the bulk of your needs.
Summary
Types
@type t() :: %Ash.Policy.Authorizer{ action: Ash.Resource.Actions.Action.t(), action_input: Ash.ActionInput.t() | nil, actor: term(), changeset: Ash.Changeset.t() | nil, check_scenarios: [map()], context: map(), data: term(), data_facts: map(), domain: Ash.Domain.t(), facts: map(), for_fields: term(), policies: [term()], query: Ash.Query.t() | nil, real_scenarios: [map()], resource: Ash.Resource.t(), scenarios: [map()], solver_statement: term(), subject: Ash.Query.t() | Ash.Changeset.t() | Ash.ActionInput.t() }