mirror of
https://github.com/ash-project/ash.git
synced 2024-09-19 21:13:10 +12:00
improvement: do not eager evaluate filters for read action policies
This commit is contained in:
parent
4adddcdd69
commit
926762cf38
2 changed files with 21 additions and 7 deletions
|
@ -12,6 +12,7 @@ defmodule Ash.Policy.Authorizer do
|
||||||
:real_scenarios,
|
:real_scenarios,
|
||||||
:check_scenarios,
|
:check_scenarios,
|
||||||
:subject,
|
:subject,
|
||||||
|
:for_fields,
|
||||||
context: %{},
|
context: %{},
|
||||||
policies: [],
|
policies: [],
|
||||||
facts: %{true => true, false => false},
|
facts: %{true => true, false => false},
|
||||||
|
@ -1498,7 +1499,7 @@ defmodule Ash.Policy.Authorizer do
|
||||||
end
|
end
|
||||||
|
|
||||||
defp strict_check_result(authorizer, opts \\ []) do
|
defp strict_check_result(authorizer, opts \\ []) do
|
||||||
case Checker.strict_check_scenarios(authorizer) do
|
case Checker.strict_check_scenarios(%{authorizer | for_fields: opts[:for_fields]}) do
|
||||||
{:ok, true, authorizer} ->
|
{:ok, true, authorizer} ->
|
||||||
{:authorized, authorizer}
|
{:authorized, authorizer}
|
||||||
|
|
||||||
|
|
|
@ -82,17 +82,30 @@ defmodule Ash.Policy.FilterCheck do
|
||||||
actor
|
actor
|
||||||
|> filter(authorizer, opts)
|
|> filter(authorizer, opts)
|
||||||
|> Ash.Expr.fill_template(actor, Ash.Policy.FilterCheck.args(authorizer), context)
|
|> Ash.Expr.fill_template(actor, Ash.Policy.FilterCheck.args(authorizer), context)
|
||||||
|> try_eval(authorizer)
|
|> then(fn expr ->
|
||||||
|> case do
|
if authorizer.for_fields || authorizer.action.type != :read ||
|
||||||
{:ok, false} ->
|
context[:private][:pre_flight_authorization?] do
|
||||||
|
try_eval(expr, authorizer)
|
||||||
|
else
|
||||||
|
case expr do
|
||||||
|
true ->
|
||||||
|
{:ok, true}
|
||||||
|
|
||||||
|
false ->
|
||||||
{:ok, false}
|
{:ok, false}
|
||||||
|
|
||||||
|
other ->
|
||||||
|
other
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end)
|
||||||
|
|> case do
|
||||||
|
{:ok, v} when v in [true, false] ->
|
||||||
|
{:ok, v}
|
||||||
|
|
||||||
{:ok, nil} ->
|
{:ok, nil} ->
|
||||||
{:ok, false}
|
{:ok, false}
|
||||||
|
|
||||||
{:ok, _} ->
|
|
||||||
{:ok, true}
|
|
||||||
|
|
||||||
_ ->
|
_ ->
|
||||||
{:ok, :unknown}
|
{:ok, :unknown}
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue