
bobek
Ash Framework: Final album policy (p155)
The final section on policies states that
We can’t combine built-in policy checks, so we’ll have to fall back to writing
an expression, likeexpr(published == true)
, to verify both conditions in the same policy check. We end up with a policy like the following:
policy action_type([:update, :destroy]) do
authorize_if expr(^actor(:role) == :editor and created_by_id == ^actor(:id))
end
Can you please expand on this a bit? Why those cannot be combined? It was stated previously, that simple checks can be combined with filter checks. Also, after some experimenting, I’ve ended up with the following code, which seems to be working:
policy action([:update, :destroy]) do
forbid_unless actor_attribute_equals(:role, :editor)
authorize_if relates_to_actor_via(:created_by)
# Also added permission to work with Albums without creator, just to experiment.
# Wonder is there is a better way:
authorize_if expr(is_nil(created_by_id))
end
Marked As Solved

sevenseacat
You can combine simple checks and filter checks as separate checks the same policy, that’s correct.
By “can’t combine built-in checks” I meant in the same policy check, something like:
authorize_if actor_attribute_equals(:role, :editor) && relates_to_actor_via(:created_by)
Which doesn’t work!
I’m pretty sure your version with two checks is equivalent, but I find it a lot harder to wrap my head around it, with the separate checks with inverted rules (which is why I can’t say with 100% confidence that they’re equivalent!)
Popular Pragmatic Bookshelf topics










Other popular topics









Categories:
Sub Categories:
Popular Portals
- /elixir
- /rust
- /wasm
- /ruby
- /erlang
- /phoenix
- /keyboards
- /rails
- /js
- /python
- /security
- /go
- /swift
- /vim
- /clojure
- /emacs
- /haskell
- /java
- /onivim
- /svelte
- /typescript
- /crystal
- /c-plus-plus
- /kotlin
- /tailwind
- /gleam
- /react
- /ocaml
- /elm
- /flutter
- /vscode
- /ash
- /opensuse
- /centos
- /php
- /deepseek
- /html
- /scala
- /zig
- /textmate
- /sublime-text
- /nixos
- /debian
- /lisp
- /agda
- /react-native
- /kubuntu
- /arch-linux
- /ubuntu
- /revery
- /spring
- /manjaro
- /django
- /nodejs
- /diversity
- /lua
- /julia
- /slackware
- /c
- /markdown