local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Docs: document bypass read rule for CustomFieldValue pattern
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source 
- Bypass action_type(:read) is production-side rule: reading own CFVs
  always allowed, overrides Permission-Sets. Applies to get/list/load.
This commit is contained in:
Moritz 2026-01-27 15:44:44 +01:00
parent 6e01af10f5
commit c48feb2128
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/roles-and-permissions-architecture.md
View file

@ -1059,6 +1059,8 @@ end
**Pattern:** Bypass for READ (list queries), CustomFieldValueCreateScope for create (no filter), HasPermission for read/update/destroy. Create uses a dedicated check because Ash cannot apply filters to create actions. **Pattern:** Bypass for READ (list queries), CustomFieldValueCreateScope for create (no filter), HasPermission for read/update/destroy. Create uses a dedicated check because Ash cannot apply filters to create actions.
The bypass `action_type(:read)` is a production-side rule: reading own CFVs (where `member_id == actor.member_id`) is always allowed and overrides Permission-Sets; no further policies are needed for that. It applies to all read actions (get, list, load).
```elixir ```elixir
defmodule Mv.Membership.CustomFieldValue do defmodule Mv.Membership.CustomFieldValue do
use Ash.Resource, ... use Ash.Resource, ...