mirror of
https://github.com/ash-project/ash.git
synced 2024-09-19 13:03:02 +12:00
improvement: do not eager evaluate filters for read action policies
This commit is contained in:
parent
4adddcdd69
commit
926762cf38
2 changed files with 21 additions and 7 deletions
|
@ -12,6 +12,7 @@ defmodule Ash.Policy.Authorizer do
|
|||
:real_scenarios,
|
||||
:check_scenarios,
|
||||
:subject,
|
||||
:for_fields,
|
||||
context: %{},
|
||||
policies: [],
|
||||
facts: %{true => true, false => false},
|
||||
|
@ -1498,7 +1499,7 @@ defmodule Ash.Policy.Authorizer do
|
|||
end
|
||||
|
||||
defp strict_check_result(authorizer, opts \\ []) do
|
||||
case Checker.strict_check_scenarios(authorizer) do
|
||||
case Checker.strict_check_scenarios(%{authorizer | for_fields: opts[:for_fields]}) do
|
||||
{:ok, true, authorizer} ->
|
||||
{:authorized, authorizer}
|
||||
|
||||
|
|
|
@ -82,17 +82,30 @@ defmodule Ash.Policy.FilterCheck do
|
|||
actor
|
||||
|> filter(authorizer, opts)
|
||||
|> Ash.Expr.fill_template(actor, Ash.Policy.FilterCheck.args(authorizer), context)
|
||||
|> try_eval(authorizer)
|
||||
|> case do
|
||||
{:ok, false} ->
|
||||
|> then(fn expr ->
|
||||
if authorizer.for_fields || authorizer.action.type != :read ||
|
||||
context[:private][:pre_flight_authorization?] do
|
||||
try_eval(expr, authorizer)
|
||||
else
|
||||
case expr do
|
||||
true ->
|
||||
{:ok, true}
|
||||
|
||||
false ->
|
||||
{:ok, false}
|
||||
|
||||
other ->
|
||||
other
|
||||
end
|
||||
end
|
||||
end)
|
||||
|> case do
|
||||
{:ok, v} when v in [true, false] ->
|
||||
{:ok, v}
|
||||
|
||||
{:ok, nil} ->
|
||||
{:ok, false}
|
||||
|
||||
{:ok, _} ->
|
||||
{:ok, true}
|
||||
|
||||
_ ->
|
||||
{:ok, :unknown}
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue