32 lines
1.2 KiB
Elixir
32 lines
1.2 KiB
Elixir
defmodule Mv.Authorization.Checks.HasJoinRequestAccess do
|
|
@moduledoc """
|
|
Simple policy check: true when the actor's role has JoinRequest read/update permission.
|
|
|
|
Used for bypass policies on JoinRequest read actions. Uses SimpleCheck (not a filter-based
|
|
check) so Ash does NOT call auto_filter, which would silently return an empty list for
|
|
unauthorized actors instead of Forbidden.
|
|
|
|
Returns true for permission sets that grant JoinRequest read :all (normal_user, admin).
|
|
Returns false for all others (own_data, read_only, nil actor).
|
|
"""
|
|
use Ash.Policy.SimpleCheck
|
|
|
|
alias Mv.Authorization.Actor
|
|
alias Mv.Authorization.PermissionSets
|
|
|
|
@impl true
|
|
def describe(_opts), do: "actor has JoinRequest read/update access (normal_user or admin)"
|
|
|
|
@impl true
|
|
def match?(actor, _context, _opts) do
|
|
with ps_name when not is_nil(ps_name) <- Actor.permission_set_name(actor),
|
|
{:ok, ps_atom} <- PermissionSets.permission_set_name_to_atom(ps_name),
|
|
permissions <- PermissionSets.get_permissions(ps_atom) do
|
|
Enum.any?(permissions.resources, fn p ->
|
|
p.resource == "JoinRequest" and p.action == :read and p.granted
|
|
end)
|
|
else
|
|
_ -> false
|
|
end
|
|
end
|
|
end
|