mirror of
https://github.com/ash-project/ash.git
synced 2024-09-20 13:33:20 +12:00
chore: return proper authorization errors from actions on failure
This commit is contained in:
parent
8e5f628286
commit
1acca3d8e1
1 changed files with 39 additions and 25 deletions
|
@ -792,17 +792,9 @@ defmodule Ash.Api do
|
||||||
defp alter_source(other, _, _, _, _), do: other
|
defp alter_source(other, _, _, _, _), do: other
|
||||||
|
|
||||||
defp run_check(api, actor, subject, opts) do
|
defp run_check(api, actor, subject, opts) do
|
||||||
subject.resource
|
authorizers =
|
||||||
|> Ash.Resource.Info.authorizers()
|
Ash.Resource.Info.authorizers(subject.resource)
|
||||||
|> case do
|
|> Enum.map(fn authorizer ->
|
||||||
[] ->
|
|
||||||
{:ok, true}
|
|
||||||
|
|
||||||
authorizers ->
|
|
||||||
authorizers
|
|
||||||
|> Enum.reduce_while(
|
|
||||||
{false, nil},
|
|
||||||
fn authorizer, {_authorized?, query} ->
|
|
||||||
authorizer_state =
|
authorizer_state =
|
||||||
authorizer.initial_state(
|
authorizer.initial_state(
|
||||||
actor,
|
actor,
|
||||||
|
@ -820,6 +812,18 @@ defmodule Ash.Api do
|
||||||
%Ash.ActionInput{} -> Map.put(context, :action_input, subject)
|
%Ash.ActionInput{} -> Map.put(context, :action_input, subject)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
{authorizer, authorizer_state, context}
|
||||||
|
end)
|
||||||
|
|
||||||
|
case authorizers do
|
||||||
|
[] ->
|
||||||
|
{:ok, true}
|
||||||
|
|
||||||
|
authorizers ->
|
||||||
|
authorizers
|
||||||
|
|> Enum.reduce_while(
|
||||||
|
{false, nil},
|
||||||
|
fn {authorizer, authorizer_state, context}, {_authorized?, query} ->
|
||||||
case authorizer.strict_check(authorizer_state, context) do
|
case authorizer.strict_check(authorizer_state, context) do
|
||||||
{:error, %{class: :forbidden} = e} when is_exception(e) ->
|
{:error, %{class: :forbidden} = e} when is_exception(e) ->
|
||||||
{:halt, {false, e}}
|
{:halt, {false, e}}
|
||||||
|
@ -899,7 +903,7 @@ defmodule Ash.Api do
|
||||||
{:ok, true}
|
{:ok, true}
|
||||||
else
|
else
|
||||||
if opts[:return_forbidden_error?] do
|
if opts[:return_forbidden_error?] do
|
||||||
{:ok, false, Ash.Error.Forbidden.exception([])}
|
{:ok, false, authorizer_exception(authorizers)}
|
||||||
else
|
else
|
||||||
{:ok, false}
|
{:ok, false}
|
||||||
end
|
end
|
||||||
|
@ -936,7 +940,7 @@ defmodule Ash.Api do
|
||||||
|
|
||||||
_ ->
|
_ ->
|
||||||
if opts[:return_forbidden_error?] do
|
if opts[:return_forbidden_error?] do
|
||||||
{:ok, false, Ash.Error.Forbidden.exception([])}
|
{:ok, false, authorizer_exception(authorizers)}
|
||||||
else
|
else
|
||||||
{:ok, false}
|
{:ok, false}
|
||||||
end
|
end
|
||||||
|
@ -946,7 +950,7 @@ defmodule Ash.Api do
|
||||||
|
|
||||||
%Ash.Changeset{} ->
|
%Ash.Changeset{} ->
|
||||||
if opts[:return_forbidden_error?] do
|
if opts[:return_forbidden_error?] do
|
||||||
{:ok, false, Ash.Error.Forbidden.exception([])}
|
{:ok, false, authorizer_exception(authorizers)}
|
||||||
else
|
else
|
||||||
{:ok, false}
|
{:ok, false}
|
||||||
end
|
end
|
||||||
|
@ -957,7 +961,7 @@ defmodule Ash.Api do
|
||||||
|
|
||||||
{false, error} ->
|
{false, error} ->
|
||||||
if opts[:return_forbidden_error?] do
|
if opts[:return_forbidden_error?] do
|
||||||
{:ok, false, error || Ash.Error.Forbidden.exception([])}
|
{:ok, false, error || authorizer_exception(authorizers)}
|
||||||
else
|
else
|
||||||
{:ok, false}
|
{:ok, false}
|
||||||
end
|
end
|
||||||
|
@ -975,6 +979,16 @@ defmodule Ash.Api do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
defp authorizer_exception([{authorizer, authorizer_state, _context}]) do
|
||||||
|
Ash.Authorizer.exception(authorizer, :forbidden, authorizer_state)
|
||||||
|
end
|
||||||
|
|
||||||
|
defp authorizer_exception(authorizers) do
|
||||||
|
authorizers
|
||||||
|
|> Enum.map(&authorizer_exception([&1]))
|
||||||
|
|> Ash.Error.to_error_class()
|
||||||
|
end
|
||||||
|
|
||||||
@calculate_opts [
|
@calculate_opts [
|
||||||
args: [
|
args: [
|
||||||
type: :map,
|
type: :map,
|
||||||
|
|
Loading…
Reference in a new issue