2024-01-31 06:53:23 +13:00
|
|
|
defmodule Ash.Test.Policy.StrictConditionTest do
|
|
|
|
use ExUnit.Case, async: true
|
|
|
|
|
|
|
|
defmodule Resource do
|
|
|
|
@moduledoc false
|
|
|
|
use Ash.Resource, data_layer: Ash.DataLayer.Ets, authorizers: [Ash.Policy.Authorizer]
|
|
|
|
|
|
|
|
ets do
|
|
|
|
private?(true)
|
|
|
|
end
|
|
|
|
|
|
|
|
actions do
|
|
|
|
defaults([:create, :read, :update, :destroy])
|
|
|
|
end
|
|
|
|
|
|
|
|
attributes do
|
|
|
|
uuid_primary_key :id
|
|
|
|
attribute :visible, :boolean, allow_nil?: false
|
|
|
|
end
|
|
|
|
|
|
|
|
policies do
|
|
|
|
default_access_type :strict
|
|
|
|
|
2024-01-31 09:23:04 +13:00
|
|
|
policy [action(:read), expr(visible == true)] do
|
2024-01-31 06:53:23 +13:00
|
|
|
authorize_if always()
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
defmodule Api do
|
|
|
|
@moduledoc false
|
|
|
|
use Ash.Api
|
|
|
|
|
|
|
|
authorization do
|
|
|
|
authorize :by_default
|
|
|
|
end
|
|
|
|
|
|
|
|
resources do
|
|
|
|
resource Resource
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2024-01-31 07:11:47 +13:00
|
|
|
test "condition in filter policy is evaluated" do
|
2024-01-31 06:53:23 +13:00
|
|
|
Resource
|
|
|
|
|> Ash.Changeset.for_create(:create, %{visible: true}, authorize?: false)
|
|
|
|
|> Api.create!()
|
|
|
|
|
|
|
|
Resource
|
|
|
|
|> Ash.Changeset.for_create(:create, %{visible: false}, authorize?: false)
|
|
|
|
|> Api.create!()
|
|
|
|
|
2024-01-31 07:11:47 +13:00
|
|
|
assert_raise Ash.Error.Forbidden, fn ->
|
2024-01-31 06:53:23 +13:00
|
|
|
Resource
|
|
|
|
|> Ash.Query.for_read(:read, actor: %{id: "foo"})
|
|
|
|
|> Api.read!()
|
2024-01-31 07:11:47 +13:00
|
|
|
end
|
2024-01-31 06:53:23 +13:00
|
|
|
end
|
|
|
|
end
|