From bfe9fba2e03e87f7a4d985830a2a299939050a37 Mon Sep 17 00:00:00 2001 From: Moritz Date: Tue, 27 Jan 2026 15:44:44 +0100 Subject: [PATCH] Docs: document bypass read rule for CustomFieldValue pattern - Bypass action_type(:read) is production-side rule: reading own CFVs always allowed, overrides Permission-Sets. Applies to get/list/load. --- docs/roles-and-permissions-architecture.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/roles-and-permissions-architecture.md b/docs/roles-and-permissions-architecture.md index acea99e..063de32 100644 --- a/docs/roles-and-permissions-architecture.md +++ b/docs/roles-and-permissions-architecture.md @@ -1059,6 +1059,8 @@ end **Pattern:** Bypass for READ (list queries), CustomFieldValueCreateScope for create (no filter), HasPermission for read/update/destroy. Create uses a dedicated check because Ash cannot apply filters to create actions. +The bypass `action_type(:read)` is a production-side rule: reading own CFVs (where `member_id == actor.member_id`) is always allowed and overrides Permission-Sets; no further policies are needed for that. It applies to all read actions (get, list, load). + ```elixir defmodule Mv.Membership.CustomFieldValue do use Ash.Resource, ...