View Source Ash.Policy.Check behaviour (ash v2.21.13)

A behaviour for declaring checks, which can be used to easily construct authorization rules.

If a check can be expressed simply, i.e as a function of the actor, or the context of the request, see Ash.Policy.SimpleCheck for an easy way to write that check. If a check can be expressed with a filter statement, see Ash.Policy.FilterCheck for an easy way to write that check.

Summary

Types

actor()
authorizer()
check_type()
options()
ref()
t()

Callbacks

auto_filter(actor, authorizer, options)

An optional callback, that allows the check to work with policies set to access_type :filter

check(actor, list, map, options)

An optional callback, hat allows the check to work with policies set to access_type :runtime

describe(options)

Describe the check in human readable format, given the options

requires_original_data?(actor, options)
strict_check(actor, authorizer, options)

Strict checks should be cheap, and should never result in external calls (like database or api)

type()

The type of the check

Functions

defines_auto_filter?(module)
defines_check?(module)

Types

Link to this type

actor()

View Source 
@type actor() :: any()
Link to this type

authorizer()

View Source 
@type authorizer() :: Ash.Policy.Authorizer.t()
Link to this type

check_type()

View Source 
@type check_type() :: :simple | :filter | :manual
Link to this type

options()

View Source 
@type options() :: Keyword.t()
Link to this type

ref()

View Source 
@type ref() :: {module(), Keyword.t()} | module()
Link to this type

t()

View Source 
@type t() :: %Ash.Policy.Check{
  check: term(),
  check_module: term(),
  check_opts: term(),
  type: term()
}

Callbacks

Link to this callback

auto_filter(actor, authorizer, options)

View Source (optional) 
@callback auto_filter(actor(), authorizer(), options()) :: Keyword.t() | Ash.Expr.t()

An optional callback, that allows the check to work with policies set to access_type :filter

Return a keyword list filter that will be applied to the query being made, and will scope the results to match the rule

Link to this callback

check(actor, list, map, options)

View Source (optional) 
@callback check(actor(), [Ash.Resource.record()], map(), options()) :: [
  Ash.Resource.record()
]

An optional callback, hat allows the check to work with policies set to access_type :runtime

Takes a list of records, and returns the subset of authorized records.

Link to this callback

describe(options)

View Source 
@callback describe(options()) :: String.t()

Describe the check in human readable format, given the options

Link to this callback

requires_original_data?(actor, options)

View Source 
@callback requires_original_data?(actor(), options()) :: boolean()
Link to this callback

strict_check(actor, authorizer, options)

View Source 
@callback strict_check(actor(), authorizer(), options()) ::
  {:ok, boolean() | :unknown} | {:error, term()}

Strict checks should be cheap, and should never result in external calls (like database or api)

It should return {:ok, true} if it can tell that the request is authorized, and {:ok, false} if it can tell that it is not. If unsure, it should return {:ok, :unknown}

Link to this callback

type()

View Source 
@callback type() :: check_type()

The type of the check

:manual checks must be written by hand as standard check modules :filter checks can use Ash.Policy.FilterCheck for simplicity :simple checks can use Ash.Policy.SimpleCheck for simplicity

Functions

Link to this function

defines_auto_filter?(module)

View Source
Link to this function

defines_check?(module)

View Source