Validates resolved actor permissions and signals invalid combinations.
Currently enforces one rule (issue #117): a permission that is a deny
(! prefix) must not carry a field_group (5th part). A field-group deny is
invalid because field-group access is positive-only — column restrictions
belong in the resource's field_group definition (inherits/except/mask),
and a deny carrying a field_group currently over-denies the entire action
(fail-closed) rather than the named group.
The validator never changes the authorization outcome; it only signals the invalid permission according to the configured mode:
:off— do nothing:warn— emit aLogger.warning(deduplicated per process):strict— raiseAshGrant.PermissionValidation.InvalidPermissionError
The mode is configured per resource via the field_group_permissions option in
the ash_grant DSL block (default :warn).
Summary
Functions
Validates permissions and signals any invalid deny+field_group entries per mode.
Types
Functions
Validates permissions and signals any invalid deny+field_group entries per mode.
Accepts the same permission representations the resolver may return (strings,
%AshGrant.Permission{} structs, %AshGrant.PermissionInput{}, or
Permissionable maps). Always returns :ok; raises InvalidPermissionError
only in :strict mode when an offender is present.
Options
:resource— the resource module, included in the message for context.