mirror of
https://github.com/ash-project/ash.git
synced 2024-09-20 21:43:02 +12:00
5967ed3a48
* improvement!: use `%Ash.NotSelected{}` for unselected values
* improvement!: default `require_atomic?` to `true`
* improvement!: raise errors on unknown generic action arguments
* improvement!: default bulk strategy to `:atomic`
* improvement!: warnings on `require_atomic?` `true` actions
improvement!: revise `Ash.NotSelected` to `Ash.NotLoaded`
improvement!: errors on unknown action inputs across the board
* doc: clarify wording in notifiers.md
closes #889
* improvement!: default `api.authorization.authorize` to `:by_default`
* improvement!: require the api when constructing changesets
this commit also fixes some work from prior commits around
the default value for the `authorize` option
* improvement!: code_interface.define_for -> code_interface.api
`code_interface.define_for` is now `code_interface.api`. Additionally, it is set automatically if the `api` option is specified on `use Ash.Resource`.
* improvement!: remove registries
* improvement!: pubsub notifier default to `previous_values?: false`
improvement!: requires_original_data? callback defaults to false
* improvement!: rename Ash.Calculation -> Ash.Resource.Calculation
improvement!: improve `Ash.Query.Calculation.new` signature
improvement!: anonymous function calculations now take lists and return lists
improvement!: make callback contexts into structs
improvement!: pass context to builtin lifecycle hook changes
improvement!: calculation arguments are now in the `arguments` key of the context
* chore: fix build
* improvement!: remove `aggregates` and `calculations` from `Filter.parse` and `Filter.parse_input`
* improvement: update spark to 2.0
* improvement!: make picosat_elixir optional with `simple_sat`
* improvement!: rename api to domain
* docs: add more info to upgrading guide
* docs: tweak docs formatting
* improvement!: remove `Ash.Changeset.new!`
* docs: update docs for `Ash.Changeset.new/1`
* improvement!: deprecate `private?: false` in favor of `public?: true`
* doc: add upgrade guide for private -> public
* improvement: update reactor to 3.0
* improvement!: default `default_accept` is now `[]`
* improvement!: `Ash.CiString.new/1` returns `nil` on `nil` input
* improvement!(Ash.Reactor): Improve integration with Ash 3.0 changes.
* improvement!: clean up and reorganize `Ash` functions
this is in preparation of deprecating the functions that are defined
on the api
improvement!: remove context-based functionality
* chore: update docs references from `Ash.Domain` to `Ash`
* chore: fix bad merge
* chore: fix context access in atomic changes
* improvement!: Deprecate calling functions on (domain) api in favor of `Ash`
* improvement!: add `attribute_public?` and update `attribute_writable?` behavior
* improvement!: update atomic behaviors, default to invalid
* chore: update downcase docs
* improvement!: changeset.filters -> changeset.filter
* improvement!: remove deprecated functions
* improvement!: remove and simplify `Ash.Filter.TemplateHelpers`
* improvement: import Ash.Expr in modules where it is used
improvement: require Ash.QUery in modules where it makes sense
* fix!: keyword lists are no longer special cased in ash expressions
* improvement: add structs for more context implementations
* chore: small tweaks, finish `:all` -> `:*` conversion
* chore: update DSL docs for multitenancy.global?
* improvement: ensure selects are applied on destroys
chore: remove TODOs
* chore: some docs changes
* improvement!: introduce strict mode to calculations
* chore: update tests
* improvement: support custom expressions
* docs: document custom expressions
* chore: fix and test custom expressions and function fragments
docs: update relevant docs w/ the changes
* improvement!: reverse order of before action & before transaction hooks
* improvement!: default read actions are now paginatable
* improvement!: require explicit accept lists in default actions
* chore: update docs
* improvement!: remove Ash.Flow and Ash.Engine
* chore: unlock unused deps
* chore: don't use unused variable
* chore: include ash flow change in upgrade guide
* improvement!: standardize various exception keys and names
* improvement!: use `Splode` for errors
* improvement: update upgrade guide to include Splode
* feat: code interface on the domain
* improvement: only require primary key if resource has actions or fields
improvement: only build schema if resource has actions or fields
improvement: verify primary key in its own verifier
* improvement: add `resource/1` builtin check
* improvement!: move simple_notifiers to an option instead of a DSL builder
improvement!: update spark for better autocomplete, configure autocomplete for key functions
docs: replace `an domain` with `a domain`
* improvement: better code interface documentation
* fix: set tenant on query so that root calles to Api.aggreagte work as expected (#929)
* chore: fixes from previous improvements
* chore: update splode
* chore: update splode
* improvement!: swap position of sort order and arguments in calculation sorting
* improvement!: add `include_nil?` aggregate option, and default it to `false`
* improvement: support notifiers within actions
* improvement: support specifying multiple filters
* improvement: add `sortable?` flags to all fields
improvement: support multiple filters on relationships
* improvement: support sensitive? on calculations and arguments
* improvement: validate resources in inputs to code interface
* chore: don't require explicit accept lists when using `default_accept :*`
* chore: update spark
* chore: update public attribute handling per 3.0
* improvement: update reactor and tests
* chore: better error message
* chore: fix rebase issue
* chore: handle merge issues
improvement: don't require domain on relationships if destination has domain
* improvement!: errors on unknown inputs for calculations
* improvement: always choose to cast atomic
* improvement: support casting some embeds atomically
* improvement: various 3.0 updates, documented in upgrade.md
* chore: Add failing tests for loads with with explicit domains. (#948)
Co-authored-by: James Harton <james@harton.nz>
* improvement: ensure non-static dynamic domains works
* improvement: add Ash.ToTenant protocol
* chore: add docs for no ToTenant option
* fix: properly construct new query in `build/3`
* chore: update simple_sat dependency
* chore: don't reselect when missing primary keys
* chore: remove IO.inspect
* chore: update spark
* chore: update spark
* improvement: use `Keyword.put_new` in `Ash.Context.to_opts` (#953)
* improvement: support bulk and atomic operations in code interfaces
---------
Co-authored-by: James Harton <james@harton.nz>
Co-authored-by: WIGGLES <55168935+WIGGLES-dev@users.noreply.github.com>
Co-authored-by: Dmitry Maganov <vonagam@gmail.com>
102 lines
2.9 KiB
Elixir
102 lines
2.9 KiB
Elixir
defmodule Ash.Test.Support.PolicyRbac.Checks.RoleChecks do
|
|
@moduledoc false
|
|
|
|
use Ash.Policy.Check
|
|
require Ash.Query
|
|
|
|
# Description of role hierarchy/permissions granted
|
|
@role_inheritance [:admin, :member, :viewer]
|
|
|
|
@permission_grants %{
|
|
admin: [:create, :read, :update, :destroy],
|
|
member: [:create, :read, :update],
|
|
viewer: [:read]
|
|
}
|
|
|
|
def describe(_opts) do
|
|
"A description"
|
|
end
|
|
|
|
## Helper to use in resources
|
|
def can?(resource), do: {__MODULE__, [resource: resource]}
|
|
|
|
## Helper to use in resources
|
|
def has_permission?(resource, permission) do
|
|
roles =
|
|
permission
|
|
|> roles_that_can()
|
|
|> all_higher_roles()
|
|
|
|
{__MODULE__, [resource: resource, roles: roles]}
|
|
end
|
|
|
|
## Helper to use in resources
|
|
def has_role?(resource, role_or_roles) do
|
|
{__MODULE__, [resource: resource, roles: all_higher_roles(role_or_roles)]}
|
|
end
|
|
|
|
# Says "I need to know these field values to do my work"
|
|
def strict_check_context(_opts) do
|
|
[:query, :action]
|
|
end
|
|
|
|
# This would be a spot for us to pre-empt doing any filtering/request work
|
|
# We could use this to say "we already kow the answer" For example,
|
|
# if the actor had a `super_admin` flag enabled on then, we could return
|
|
# {:ok, true} to say "whatever role you're asking about, they have it"
|
|
# (don't implement that this way, use a bypass check, its just an example)
|
|
def strict_check(_, _, _) do
|
|
{:ok, :unknown}
|
|
end
|
|
|
|
# Describes the type of check
|
|
def type, do: :filter
|
|
|
|
# Returns a filter statement over the data
|
|
def auto_filter(actor, authorizer, []) do
|
|
# :create | :update | :destroy | :read
|
|
action_type = authorizer.action.type
|
|
|
|
expr(memberships.role in ^roles_that_can(action_type) and memberships.user_id == ^actor.id)
|
|
end
|
|
|
|
def auto_filter(actor, authorizer, opts) do
|
|
# We're asking for specific roles
|
|
if opts[:roles] do
|
|
expr(
|
|
organization.memberships.role in ^opts[:roles] and
|
|
organization.memberships.user_id == ^actor.id and
|
|
organization.memberships.resource == ^opts[:resource] and
|
|
id == organization.memberships.resource_id
|
|
)
|
|
else
|
|
# We're asking if they have the permission corresponding to the action
|
|
# :create | :update | :destroy | :read
|
|
action_type = authorizer.action.type
|
|
|
|
expr(
|
|
organization.memberships.role in ^roles_that_can(action_type) and
|
|
organization.memberships.user_id == ^actor.id and
|
|
organization.memberships.resource == ^opts[:resource] and
|
|
id == organization.memberships.resource_id
|
|
)
|
|
end
|
|
end
|
|
|
|
defp roles_that_can(permission) do
|
|
@permission_grants
|
|
|> Enum.filter(fn {_key, val} ->
|
|
permission in val
|
|
end)
|
|
|> Enum.map(&elem(&1, 0))
|
|
end
|
|
|
|
defp all_higher_roles(role_or_roles) do
|
|
role_or_roles
|
|
|> List.wrap()
|
|
|> Enum.flat_map(fn role ->
|
|
Enum.take_while(@role_inheritance, &(&1 != role))
|
|
end)
|
|
|> Enum.uniq()
|
|
end
|
|
end
|