MemberGroup: restrict bypass to own_data via MemberGroupReadLinkedForOwnData
- ActorPermissionSetIs check; bypass policy filters by member_id for own_data only. - Admin with member_id still gets :all via HasPermission. Tests added.
This commit is contained in:
parent
67ce514ba0
commit
890a4d3752
4 changed files with 143 additions and 4 deletions
|
|
@ -42,7 +42,6 @@ defmodule Mv.Membership.MemberGroup do
|
|||
data_layer: AshPostgres.DataLayer,
|
||||
authorizers: [Ash.Policy.Authorizer]
|
||||
|
||||
import Ash.Expr
|
||||
require Ash.Query
|
||||
|
||||
postgres do
|
||||
|
|
@ -58,13 +57,13 @@ defmodule Mv.Membership.MemberGroup do
|
|||
end
|
||||
end
|
||||
|
||||
# Authorization: read uses bypass for :linked (own_data list) then HasPermission for :all;
|
||||
# Authorization: read uses bypass for :linked (own_data only) then HasPermission for :all;
|
||||
# create/destroy use HasPermission (normal_user + admin only).
|
||||
# Order: bypass first so own_data gets expr filter; HasPermission then authorizes :all for others.
|
||||
# Single check: own_data gets filter via auto_filter; admin does not match, gets :all from HasPermission.
|
||||
policies do
|
||||
bypass action_type(:read) do
|
||||
description "own_data: read only member_groups where member_id == actor.member_id"
|
||||
authorize_if expr(member_id == ^actor(:member_id))
|
||||
authorize_if Mv.Authorization.Checks.MemberGroupReadLinkedForOwnData
|
||||
end
|
||||
|
||||
policy action_type(:read) do
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue