View Source Ash.Policy.Info (ash v1.53.2)

An authorization extension for ash resources.

For more information, see Ash.Policy.Authorizer

Link to this section Summary

Functions

A utility to determine if an actor is or may be authorized for a given action.

A utility to determine if an actor is or may be authorized for a given action.

Whether or not ash policy authorizer is configured to show policy breakdowns in error messages

Whether or not ash policy authorizer is configured to show policy breakdowns in error messages

A utility to determine if a given query/changeset would pass authorization.

Link to this section Types

@type can_option() :: {:api, module()} | {:maybe_is, boolean() | :maybe}
@type can_option?() :: {:api, module()} | {:maybe_is, boolean()}
@type request() :: Ash.Engine.Request.t()

Link to this section Functions

Link to this function

can(resource, action_or_action_name, actor, opts \\ [])

View Source
@spec can(Ash.Resource.t(), atom(), map() | nil, [can_option()]) :: boolean() | :maybe

A utility to determine if an actor is or may be authorized for a given action.

This only runs the "strict check" portion of policies, meaning that it can return :maybe in some cases. If you have access_type :runtime in any of your policies, then you may get :maybe from this function. To customize what is returned in the case of :maybe you can provide the maybe_is option, i.e maybe_is: true. This makes sense when you want to a show a button, but only if the user may be able to perform the action.

For read actions, an important thing to factor in here is that typically policies just end up filtering the action. This means that even if you try to read something you can't read, your read action will succeed but nothing will be returned, and this function would return true.

Link to this function

can?(resource, action_or_action_name, actor, opts \\ [])

View Source
@spec can?(Ash.Resource.t(), atom(), map() | nil, [can_option?()]) :: boolean()

A utility to determine if an actor is or may be authorized for a given action.

A shortcut for calling can/4 but with the maybe_is option defaulting to false, so this should always return a boolean.

See the documentation of can/4 for more.

Link to this function

default_access_type(resource)

View Source
Link to this function

describe_resource(resource)

View Source

Whether or not ash policy authorizer is configured to show policy breakdowns in error messages

Link to this function

show_policy_breakdowns?()

View Source

Whether or not ash policy authorizer is configured to show policy breakdowns in error messages

Link to this function

strict_check(actor, query, api)

View Source

A utility to determine if a given query/changeset would pass authorization.

This is still experimental.