Ash Framework: Final album policy (p155)

bobek · 15 June 2025 15:09

The final section on policies states that

We can’t combine built-in policy checks, so we’ll have to fall back to writing
an expression, like expr(published == true), to verify both conditions in the same policy check. We end up with a policy like the following:

policy action_type([:update, :destroy]) do
  authorize_if expr(^actor(:role) == :editor and created_by_id == ^actor(:id))
end

Can you please expand on this a bit? Why those cannot be combined? It was stated previously, that simple checks can be combined with filter checks. Also, after some experimenting, I’ve ended up with the following code, which seems to be working:

    policy action([:update, :destroy]) do
      forbid_unless actor_attribute_equals(:role, :editor)
      authorize_if relates_to_actor_via(:created_by)

      # Also added permission to work with Albums without creator, just to experiment.
      # Wonder is there is a better way:
      authorize_if expr(is_nil(created_by_id))
    end

sevenseacat · 19 June 2025 16:21

You can combine simple checks and filter checks as separate checks the same policy, that’s correct.

By “can’t combine built-in checks” I meant in the same policy check, something like:

authorize_if actor_attribute_equals(:role, :editor) && relates_to_actor_via(:created_by)

Which doesn’t work!

I’m pretty sure your version with two checks is equivalent, but I find it a lot harder to wrap my head around it, with the separate checks with inverted rules (which is why I can’t say with 100% confidence that they’re equivalent!)