60 lines
1.7 KiB
Elixir
60 lines
1.7 KiB
Elixir
defmodule Mv.Authorization.Checks.NoActor do
|
|
@moduledoc """
|
|
Custom Ash Policy Check that allows actions when no actor is present.
|
|
|
|
This is primarily used for:
|
|
- Database seeding (priv/repo/seeds.exs)
|
|
- Test fixtures that create data without authentication
|
|
- Background jobs that operate on behalf of the system
|
|
|
|
## Security Note
|
|
|
|
This check should only be used for specific actions where system-level
|
|
access is appropriate. It should always be combined with other policy
|
|
checks that validate actor-based permissions when an actor IS present.
|
|
|
|
## Usage in Policies
|
|
|
|
policies do
|
|
# Allow seeding and system operations
|
|
policy action_type(:create) do
|
|
authorize_if NoActor
|
|
end
|
|
|
|
# Check permissions when actor is present
|
|
policy action_type([:read, :create, :update, :destroy]) do
|
|
authorize_if HasPermission
|
|
end
|
|
end
|
|
|
|
## Behavior
|
|
|
|
- Returns `{:ok, true}` when actor is nil (allows action)
|
|
- Returns `{:ok, :unknown}` when actor is present (delegates to other policies)
|
|
- `auto_filter` returns nil (no filtering needed)
|
|
"""
|
|
|
|
use Ash.Policy.Check
|
|
|
|
@impl true
|
|
def describe(_opts) do
|
|
"allows actions when no actor is present (for seeds and system operations)"
|
|
end
|
|
|
|
@impl true
|
|
def strict_check(actor, _authorizer, _opts) do
|
|
if is_nil(actor) do
|
|
# No actor present - allow (for seeds, tests, system operations)
|
|
{:ok, true}
|
|
else
|
|
# Actor present - let other policies decide
|
|
{:ok, :unknown}
|
|
end
|
|
end
|
|
|
|
@impl true
|
|
def auto_filter(_actor, _authorizer, _opts) do
|
|
# No filtering needed - this check only validates presence/absence of actor
|
|
nil
|
|
end
|
|
end
|