🔗 Elixir, Phoenix, Ash: policies

In Ash Framework, actions require explicit authorization through policies to be executable. By default, if the authorizer extension is enabled and no policies are defined, actions are not accessible.

At the very foundations, a basic policy in Ash made of two parts, one or more conditions and one or more checks. Something like:

policies do
  policy action(:action_name) do
    access_type :strict
    authorize_if condition()
  end
end

The action keyword represents the condition (one, in this case) to evaluate to understand if the policy has to be taken into account; action(:read) means that the policy should be applied and evaluated only if the action name is :read.

The access_types directive is an interesting one, as it defines how the action should be “used”:

:strict - Most restrictive, blocks entire action if conditions aren't met

:filter - provides a softer approach to read actions. Rather than blocking access entirely when a policy check fails, it filters the results to only show records that meet the policy conditions. For instance, if a policy restricts users to viewing posts from their department, :filter will return only matching posts instead of throwing an error. When no records match the conditions, you'll receive an empty list rather than an authorization error.

:runtime - Least restrictive, checks performed after action runs; whatever the resulting response will be, this actions will only then be applied.

The authorize_if is the single check of this policy, which can received either a built-in or a custom one. The usual very good documentation about checks is here.