# if the record is marked as public, authorize the request
authorize_if attribute(:public, true)
# if the actor is related to the data via that data's `owner` relationship, authorize the request
authorize_if relates_to_actor_via(:owner)
end
end
```
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`default_access_type`](#policies-default_access_type){: #policies-default_access_type } | `:strict \| :filter \| :runtime` | `:filter` | The default access type of policies for this resource. |
## policies.policy
```elixir
policy condition
```
A policy has a name, a condition, and a list of checks.
Checks apply logically in the order they are specified, from top to bottom.
If no check explicitly authorizes the request, then the request is forbidden.
This means that, if you want to "blacklist" instead of "whitelist", you likely
want to add an `authorize_if always()` at the bottom of your policy, like so:
```elixir
policy action_type(:read) do
forbid_if not_logged_in()
forbid_if user_is_denylisted()
forbid_if user_is_in_denylisted_group()
authorize_if always()
end
```
If the policy should always run, use the `always()` check, like so:
```elixir
policy always() do
...
end
```
See the [policies guide](/documentation/topics/policies.md) for more.
| [`condition`](#policies-policy-condition){: #policies-policy-condition } | `any` | | A check or list of checks that must be true in order for this policy to apply. |
| [`description`](#policies-policy-description){: #policies-policy-description } | `String.t` | | A description for the policy, used when explaining authorization results |
| [`access_type`](#policies-policy-access_type){: #policies-policy-access_type } | `:strict \| :filter \| :runtime` | | What portion of the checks inside the policy are allowed to run. See the guide for more. |
## policies.policy.authorize_if
```elixir
authorize_if check
```
If the check is true, the request is authorized, otherwise run remaining checks.
| [`check`](#policies-policy-authorize_if-check){: #policies-policy-authorize_if-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#policies-policy-authorize_if-name){: #policies-policy-authorize_if-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## policies.policy.forbid_if
```elixir
forbid_if check
```
If the check is true, the request is forbidden, otherwise run remaining checks.
| [`check`](#policies-policy-forbid_if-check){: #policies-policy-forbid_if-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#policies-policy-forbid_if-name){: #policies-policy-forbid_if-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## policies.policy.authorize_unless
```elixir
authorize_unless check
```
If the check is false, the request is authorized, otherwise run remaining checks.
| [`check`](#policies-policy-authorize_unless-check){: #policies-policy-authorize_unless-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#policies-policy-authorize_unless-name){: #policies-policy-authorize_unless-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## policies.policy.forbid_unless
```elixir
forbid_unless check
```
If the check is true, the request is forbidden, otherwise run remaining checks.
| [`check`](#policies-policy-forbid_unless-check){: #policies-policy-forbid_unless-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#policies-policy-forbid_unless-name){: #policies-policy-forbid_unless-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
### Introspection
Target: `Ash.Policy.Policy`
## policies.bypass
```elixir
bypass condition
```
A policy that, if passed, will skip all following policies. If failed, authorization moves on to the next policy
| [`condition`](#policies-bypass-condition){: #policies-bypass-condition } | `any` | | A check or list of checks that must be true in order for this policy to apply. |
| [`description`](#policies-bypass-description){: #policies-bypass-description } | `String.t` | | A description for the policy, used when explaining authorization results |
| [`access_type`](#policies-bypass-access_type){: #policies-bypass-access_type } | `:strict \| :filter \| :runtime` | | What portion of the checks inside the policy are allowed to run. See the guide for more. |
## policies.bypass.authorize_if
```elixir
authorize_if check
```
If the check is true, the request is authorized, otherwise run remaining checks.
| [`check`](#policies-bypass-authorize_if-check){: #policies-bypass-authorize_if-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#policies-bypass-authorize_if-name){: #policies-bypass-authorize_if-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## policies.bypass.forbid_if
```elixir
forbid_if check
```
If the check is true, the request is forbidden, otherwise run remaining checks.
| [`check`](#policies-bypass-forbid_if-check){: #policies-bypass-forbid_if-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#policies-bypass-forbid_if-name){: #policies-bypass-forbid_if-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## policies.bypass.authorize_unless
```elixir
authorize_unless check
```
If the check is false, the request is authorized, otherwise run remaining checks.
| [`check`](#policies-bypass-authorize_unless-check){: #policies-bypass-authorize_unless-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#policies-bypass-authorize_unless-name){: #policies-bypass-authorize_unless-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## policies.bypass.forbid_unless
```elixir
forbid_unless check
```
If the check is true, the request is forbidden, otherwise run remaining checks.
| [`check`](#policies-bypass-forbid_unless-check){: #policies-bypass-forbid_unless-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#policies-bypass-forbid_unless-name){: #policies-bypass-forbid_unless-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
### Introspection
Target: `Ash.Policy.Policy`
## field_policies
Authorize access to specific fields via policies scoped to fields.
If *any* field policies exist then *all* fields must be authorized by a field policy.
If you want a "deny-list" style, then you can add policies for specific fields
and add a catch-all policy using the special field name `:*`. All policies that apply
to a field must be authorized.
The only exception to the above behavior is primary keys, which can always be read by everyone.
Additionally, keep in mind that adding `Ash.Policy.Authorizer` will require that all actions
pass policies. If you want to just add field policies, you will need to add a policy that allows
all access explicitly, i.e
```elixir
policies do
policy always() do
authorize_if always()
end
end
```
Using expressions: unlike in regular policies, expressions in field policies cannot refer
to related entities currently. Instead, you will need to create aggregates or expression calculations
that return the results you want to reference.
In results, forbidden fields will be replaced with a special value: `%Ash.ForbiddenField{}`.
When these fields are referred to in filters, they will be replaced with an expression that evaluates
to `nil`. To support this behavior, only expression/filter checks are allowed in field policies.
A field policy that, if passed, will skip all following field policies for that field or fields. If failed, field authorization moves on to the next policy
| [`fields`](#field_policies-field_policy_bypass-fields){: #field_policies-field_policy_bypass-fields } | `atom \| list(atom)` | | The field or fields that the policy applies to. |
| [`condition`](#field_policies-field_policy_bypass-condition){: #field_policies-field_policy_bypass-condition } | `any` | | A check or list of checks that must be true in order for this field policy to apply. If not specified, it always applies. |
| [`description`](#field_policies-field_policy_bypass-description){: #field_policies-field_policy_bypass-description } | `String.t` | | A description for the policy, used when explaining authorization results |
| [`check`](#field_policies-field_policy_bypass-authorize_if-check){: #field_policies-field_policy_bypass-authorize_if-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#field_policies-field_policy_bypass-authorize_if-name){: #field_policies-field_policy_bypass-authorize_if-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## field_policies.field_policy_bypass.forbid_if
```elixir
forbid_if check
```
If the check is true, the request is forbidden, otherwise run remaining checks.
| [`check`](#field_policies-field_policy_bypass-forbid_if-check){: #field_policies-field_policy_bypass-forbid_if-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#field_policies-field_policy_bypass-forbid_if-name){: #field_policies-field_policy_bypass-forbid_if-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
| [`check`](#field_policies-field_policy_bypass-authorize_unless-check){: #field_policies-field_policy_bypass-authorize_unless-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#field_policies-field_policy_bypass-authorize_unless-name){: #field_policies-field_policy_bypass-authorize_unless-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
| [`check`](#field_policies-field_policy_bypass-forbid_unless-check){: #field_policies-field_policy_bypass-forbid_unless-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#field_policies-field_policy_bypass-forbid_unless-name){: #field_policies-field_policy_bypass-forbid_unless-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
| [`fields`](#field_policies-field_policy-fields){: #field_policies-field_policy-fields } | `atom \| list(atom)` | | The field or fields that the policy applies to. |
| [`condition`](#field_policies-field_policy-condition){: #field_policies-field_policy-condition } | `any` | | A check or list of checks that must be true in order for this field policy to apply. If not specified, it always applies. |
| [`description`](#field_policies-field_policy-description){: #field_policies-field_policy-description } | `String.t` | | A description for the policy, used when explaining authorization results |
## field_policies.field_policy.authorize_if
```elixir
authorize_if check
```
If the check is true, the request is authorized, otherwise run remaining checks.
| [`check`](#field_policies-field_policy-authorize_if-check){: #field_policies-field_policy-authorize_if-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#field_policies-field_policy-authorize_if-name){: #field_policies-field_policy-authorize_if-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## field_policies.field_policy.forbid_if
```elixir
forbid_if check
```
If the check is true, the request is forbidden, otherwise run remaining checks.
| [`check`](#field_policies-field_policy-forbid_if-check){: #field_policies-field_policy-forbid_if-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#field_policies-field_policy-forbid_if-name){: #field_policies-field_policy-forbid_if-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## field_policies.field_policy.authorize_unless
```elixir
authorize_unless check
```
If the check is false, the request is authorized, otherwise run remaining checks.
| [`check`](#field_policies-field_policy-authorize_unless-check){: #field_policies-field_policy-authorize_unless-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#field_policies-field_policy-authorize_unless-name){: #field_policies-field_policy-authorize_unless-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |
### Introspection
Target: `Ash.Policy.Check`
## field_policies.field_policy.forbid_unless
```elixir
forbid_unless check
```
If the check is true, the request is forbidden, otherwise run remaining checks.
| [`check`](#field_policies-field_policy-forbid_unless-check){: #field_policies-field_policy-forbid_unless-check .spark-required} | `any` | | The check to run. See `Ash.Policy.Check` for more. |
| [`name`](#field_policies-field_policy-forbid_unless-name){: #field_policies-field_policy-forbid_unless-name } | `String.t` | | A short name or description for the check, used when explaining authorization results |