bobek
Ash Framework: Final album policy (p155)
The final section on policies states that
We can’t combine built-in policy checks, so we’ll have to fall back to writing
an expression, likeexpr(published == true), to verify both conditions in the same policy check. We end up with a policy like the following:
policy action_type([:update, :destroy]) do
authorize_if expr(^actor(:role) == :editor and created_by_id == ^actor(:id))
end
Can you please expand on this a bit? Why those cannot be combined? It was stated previously, that simple checks can be combined with filter checks. Also, after some experimenting, I’ve ended up with the following code, which seems to be working:
policy action([:update, :destroy]) do
forbid_unless actor_attribute_equals(:role, :editor)
authorize_if relates_to_actor_via(:created_by)
# Also added permission to work with Albums without creator, just to experiment.
# Wonder is there is a better way:
authorize_if expr(is_nil(created_by_id))
end
Marked As Solved
sevenseacat
You can combine simple checks and filter checks as separate checks the same policy, that’s correct.
By “can’t combine built-in checks” I meant in the same policy check, something like:
authorize_if actor_attribute_equals(:role, :editor) && relates_to_actor_via(:created_by)
Which doesn’t work!
I’m pretty sure your version with two checks is equivalent, but I find it a lot harder to wrap my head around it, with the separate checks with inverted rules (which is why I can’t say with 100% confidence that they’re equivalent!)
Popular Pragmatic Bookshelf topics
Other popular topics
Categories:
Sub Categories:
Popular Portals
- /elixir
- /rust
- /ruby
- /wasm
- /erlang
- /phoenix
- /keyboards
- /rails
- /python
- /js
- /security
- /go
- /swift
- /vim
- /clojure
- /haskell
- /emacs
- /java
- /svelte
- /onivim
- /typescript
- /kotlin
- /c-plus-plus
- /crystal
- /tailwind
- /react
- /gleam
- /ocaml
- /elm
- /flutter
- /vscode
- /ash
- /html
- /opensuse
- /centos
- /php
- /deepseek
- /zig
- /scala
- /sublime-text
- /lisp
- /textmate
- /react-native
- /nixos
- /debian
- /agda
- /kubuntu
- /arch-linux
- /django
- /ubuntu
- /revery
- /manjaro
- /deno
- /spring
- /nodejs
- /diversity
- /lua
- /julia
- /c
- /slackware
Devtalk Sponsors
Practical resources that improve the lives of professional developers.
We build trusted fault-tolerant systems that scale to billions of users.
Real-time error tracking, performance insights, and observability for devs.
Develop your skills with books, videos, and courses.
Catch errors, track performance, monitor hosts and more.
Enabling companies to succeed by building software people love.
Courses that move you from confusion to "Aha, now I get it!"