woylie / let_me Goto Github PK

Handle nested structs with redact function by allowing nested keyword lists in redacted_fields callback.

1. By listing the fields directly: [:name, pet: [:age]]
2. By deferring to another module implementing LetMe.Schema: [:name, pet: MyApp.Pet]

Describe the bug
The following part of the documentation

If you registered the schema module with LetMe.Policy.object/3, you can also
pass the schema module or the struct instead of a tuple.

lets me think that I could this:

MyPolicy.filter_allowed_actions(my_rules, :my_object, MyObjectSchemaModule)

but due to the callback's guards it leads to this error:

    Attempted function clauses (showing 2 out of 2):
    
        def filter_allowed_actions(rules, subject, {object_name, object}, policy) when is_list(rules) and is_atom(object_name)
        def filter_allowed_actions(rules, subject, %_{} = object, policy)

Is my interpretation of the documentation incorrect or is the implementation (accidentally) lacking support to just "pass the schema module"?

To Reproduce
Steps to reproduce the behavior:

See above.

Expected behavior
I'd expect

MyPolicy.filter_allowed_actions(my_rules, :my_object, MyObjectSchemaModule)

to return the list of matching rules.

Versions:

• LetMe: 1.2.2
• Elixir: 1.15.6
• Erlang: 26.1

Additional context
I commented the commit that introduced the statement in the documentation.

Is your feature request related to a problem? Please describe.

I love the DSL of LetMe, but I feel like it is missing a "throw or continue" way of evaluating policies.

Currently, we're locked into the :ok or {:error, :reason} tuple pattern that is common across Elixir, so evaluating a policy might look like:

def update_membership(current_user, id) do
  membership = Repo.get(Membership, id)
  
  Membership.Policy.authorize!(:membership_update, membership, current_user)

  Membership.update(membership, %{something: true})
rescue
  LetMe.UnauthorizedError ->
    {:error, :unauthorized}
end

There is nothing wrong with this approach – but I feel like there could be better ergonomics with assessing policies via pipe operators.

Describe the solution you'd like

I'd love to be able to do something like:

def update_membership(current_user, id) do
  Membership
  |> Repo.get(id)
  |> Membership.Policy.authorize!(:membership_update, current_user)
  |> Membership.update(%{something: true})
rescue
  LetMe.UnauthorizedError ->
    {:error, "something bad"}
end

Describe alternatives you've considered

I've looked at Bodyguard as well, and it seems like this isn't supported either. I'm a big fan of the LetMe DSL – does something like this exist?

Hey,

Describe the bug

It seems like role scoped introspection of rules is not working.
In the docs: https://hexdocs.pm/let_me/readme.html#introspection
it is stated that it is possible to return a list of rules by role: MyApp.Policy.list_rules(role: :writer)

This does not seem to work.
I get the following error when I try:

XXX.Policy.list_rules(role: :admin)
** (ArgumentError) unknown keys [:role] in [role: :admin], the allowed keys are: [:action, :allow, :deny, :object]
    (elixir 1.14.2) lib/keyword.ex:355: Keyword.validate!/2
    (let_me 1.0.1) lib/let_me.ex:68: LetMe.filter_rules/2
    iex:2: (file)

To Reproduce
Steps to reproduce the behavior:
We have a Policy file set up based on the docs, other list_rules/1 filters seem to work.

Expected behavior
Expecting to get a list of rules back that are relevant to the role.

Versions:

• LetMe: 1.0.1
• Elixir: 1.14.2
• Erlang: 25

• LetMe.Policy.filter_allowed_actions(rules, %User{}, {:article, %Article{})