improvement: do not eager evaluate filters for read action policies

2024-09-17 03:53:02 +12:00 · 2024-08-31 14:34:29 -04:00 · 2024-08-31 14:34:29 -04:00 · 926762cf38
commit 926762cf38
parent 4adddcdd69
2 changed files with 21 additions and 7 deletions
--- a/lib/ash/policy/authorizer/authorizer.ex
+++ b/lib/ash/policy/authorizer/authorizer.ex
@ -12,6 +12,7 @@ defmodule Ash.Policy.Authorizer do
    :real_scenarios,
    :check_scenarios,
    :subject,
+    :for_fields,
    context: %{},
    policies: [],
    facts: %{true => true, false => false},
@ -1498,7 +1499,7 @@ defmodule Ash.Policy.Authorizer do
  end

  defp strict_check_result(authorizer, opts \\ []) do
-    case Checker.strict_check_scenarios(authorizer) do
+    case Checker.strict_check_scenarios(%{authorizer | for_fields: opts[:for_fields]}) do
      {:ok, true, authorizer} ->
        {:authorized, authorizer}

--- a/lib/ash/policy/filter_check.ex
+++ b/lib/ash/policy/filter_check.ex
@ -82,17 +82,30 @@ defmodule Ash.Policy.FilterCheck do
        actor
        |> filter(authorizer, opts)
        |> Ash.Expr.fill_template(actor, Ash.Policy.FilterCheck.args(authorizer), context)
-        |> try_eval(authorizer)
+        |> then(fn expr ->
+          if authorizer.for_fields || authorizer.action.type != :read ||
+               context[:private][:pre_flight_authorization?] do
+            try_eval(expr, authorizer)
+          else
+            case expr do
+              true ->
+                {:ok, true}
+
+              false ->
+                {:ok, false}
+
+              other ->
+                other
+            end
+          end
+        end)
        |> case do
-          {:ok, false} ->
-            {:ok, false}
+          {:ok, v} when v in [true, false] ->
+            {:ok, v}

          {:ok, nil} ->
            {:ok, false}

-          {:ok, _} ->
-            {:ok, true}
-
          _ ->
            {:ok, :unknown}
        end