ash_policy_authorizer v0.15.0 AshPolicyAuthorizer.FilterCheck behaviour View Source

A type of check that is represented by a filter statement

That filter statement can be templated, currently only supporting {:_actor, field} which will replace that portion of the filter with the appropriate field value from the actor and {:_actor, :_primary_key} which will replace the value with a keyword list of the primary key fields of an actor to their values, like [id: 1]. If the actor is not present {:_actor, field} becomes nil, and {:_actor, :_primary_key} becomes false.

You can customize what the "negative" filter looks like by defining reject/1. This is important for filters over related data. For example, given an owner relationship and a data layer like ash_postgres where column != NULL does not evaluate to true (see postgres docs on NULL for more):

# The opposite of
`owner.id == 1`
# in most cases is not
`not(owner.id == 1)`
# because in postgres that would be `NOT (owner.id = NULL)` in cases where there was no owner
# A better opposite would be
`owner.id != 1 or is_nil(owner.id)`
# alternatively
`not(owner.id == 1) or is_nil(owner.id)`

By being able to customize the reject filter, you can use related filters in your policies. Without it, they will likely have undesired effects.

Link to this section Summary

Link to this section Types

Specs

options() :: Keyword.t()

Link to this section Functions

Link to this function

is_filter_check?(module)

View Source

Link to this section Callbacks

Link to this callback

filter(options)

View Source (optional)

Specs

filter(options()) :: Keyword.t()
Link to this callback

reject(options)

View Source (optional)

Specs

reject(options()) :: Keyword.t()