Add Role resource policies (defense-in-depth)
- PermissionSets: Role read :all for own_data, read_only, normal_user; admin keeps full CRUD - Role resource: authorizers and policies with HasPermission - Tests: role_policies_test.exs (read all, create/update/destroy admin only) - Fix existing tests to pass actor or authorize?: false for Role operations
This commit is contained in:
parent
10f37a1246
commit
4d3a64c177
GPG key ID:
1020A035E5DD0824
8 changed files with 304 additions and 51 deletions
|
|
@ -37,7 +37,8 @@ defmodule Mv.Authorization.Role do
|
|||
"""
|
||||
use Ash.Resource,
|
||||
domain: Mv.Authorization,
|
||||
data_layer: AshPostgres.DataLayer
|
||||
data_layer: AshPostgres.DataLayer,
|
||||
authorizers: [Ash.Policy.Authorizer]
|
||||
|
||||
postgres do
|
||||
table "roles"
|
||||
|
|
@ -86,6 +87,13 @@ defmodule Mv.Authorization.Role do
|
|||
end
|
||||
end
|
||||
|
||||
policies do
|
||||
policy action_type([:read, :create, :update, :destroy]) do
|
||||
description "Role access: read for all permission sets, create/update/destroy for admin only (PermissionSets)"
|
||||
authorize_if Mv.Authorization.Checks.HasPermission
|
||||
end
|
||||
end
|
||||
|
||||
validations do
|
||||
validate one_of(
|
||||
:permission_set_name,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue