local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

refactor: reduce nesting in HasPermission.strict_check_with_permissions
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/promote/production Build is passing
Details

Browse source 
Extract strict_check_filter_scope/4 to satisfy Credo max depth 2.
This commit is contained in:
Moritz 2026-02-04 13:29:41 +01:00
parent f7ba98c36b
commit 40e75f4066
1 changed files with 10 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

27
lib/mv/authorization/checks/has_permission.ex
View file

@ -132,26 +132,10 @@ defmodule Mv.Authorization.Checks.HasPermission do
resource_name resource_name
) do ) do
:authorized -> :authorized ->
# For :all scope, authorize directly
{:ok, true} {:ok, true}
{:filter, filter_expr} -> {:filter, filter_expr} ->
# For :own/:linked scope: strict_check_filter_scope(record, filter_expr, actor, resource_name)
# - With a record, evaluate filter against record for strict authorization
# - Without a record (queries/lists), return false
#
# NOTE: Returning false here forces the use of expr-based bypass policies.
# This is necessary because Ash's policy evaluation doesn't reliably call auto_filter
# when strict_check returns :unknown. Instead, resources should use bypass policies
# with expr() directly for filter-based authorization (see User resource).
if record do
evaluate_filter_for_strict_check(filter_expr, actor, record, resource_name)
else
# No record yet (e.g., read/list queries) - deny at strict_check level
# Resources must use expr-based bypass policies for list filtering
# Create: use a dedicated check that does not return a filter (e.g. CustomFieldValueCreateScope)
{:ok, false}
end
false -> false ->
{:ok, false} {:ok, false}
@ -175,6 +159,15 @@ defmodule Mv.Authorization.Checks.HasPermission do
end end
end end
# For :own/:linked scope: with record evaluate filter; without record deny (resources use bypass + expr).
defp strict_check_filter_scope(record, filter_expr, actor, resource_name) do
if record do
evaluate_filter_for_strict_check(filter_expr, actor, record, resource_name)
else
{:ok, false}
end
end
@impl true @impl true
def auto_filter(actor, authorizer, _opts) do def auto_filter(actor, authorizer, _opts) do
resource = authorizer.resource resource = authorizer.resource