Skip to content

Commit

Permalink
docs: improve policy guide with additional examples (#1513)
Browse files Browse the repository at this point in the history

---------

Co-authored-by: Zach Daniel <zachary.s.daniel@gmail.com>
  • Loading branch information
aifrak and zachdaniel authored Oct 14, 2024
1 parent 6131110 commit 9280a69
Showing 1 changed file with 16 additions and 1 deletion.
17 changes: 16 additions & 1 deletion documentation/topics/security/policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Then you can start defining policies for your resource.

Each policy defined in a resource has two parts -

- a condition, such as `action_type(:read)` or `actor_attribute_equals(:admin, true)` or `always()`. If this condition is true for a given action request, then the policy will be applied to the request.
- a condition or a list of conditions, such as `action_type(:read)`, `[action_type(:read), actor_attribute_equals(:admin, true)]` or `always()`. If the condition, or all conditions if given a list are true for a given action request, then the policy will be applied to the request.
- a set of policy checks, each of which will be evaluated individually if a policy applies to a request.

If more than one policy applies to any given request (eg. an admin actor calls a read action) then **all applicable policies must pass** for the action to be performed.
Expand Down Expand Up @@ -54,6 +54,21 @@ There are four check types, all of which do what they sound like they do:

If a single check does not explicitly authorize or forbid the whole policy, then the flow moves to the next check. For example, if an `authorize_if` check does NOT return true, this _does not mean the whole policy is forbidden_ - it means that further checking is required.

### Policy with `condition` inside `do` block

A condition or a list of conditions can also be moved inside the `policy` block.

This can make a really long list of conditions easier to read.

```elixir
policies do
policy do
condition always()
authorize_if always()
end
end
```

### How a Decision is Reached

**Not every check in a policy must pass!** This is described above, but is very important so another example is provided here. Checks go from top to bottom, are evaluated independently of each other, and _the first one that reaches a decision_ determines the overall _policy result_. For example:
Expand Down

0 comments on commit 9280a69

Please sign in to comment.