Assertion macros for policy tests.
Provides two assertion macros:
assert_can/2andassert_can/3- Assert an actor can perform an actionassert_cannot/2andassert_cannot/3- Assert an actor cannot perform an action
These macros are automatically imported when you use AshGrant.PolicyTest.
Summary
Functions
Asserts that an actor can perform an action.
Asserts that an actor cannot perform an action.
Asserts that the specified fields are hidden from an actor for an action.
Asserts that the specified fields are visible to an actor for an action.
Functions
Asserts that an actor can perform an action.
Action Specifiers
The second argument can be:
- An atom for action name shorthand:
:read,:update - A keyword list with
:actionor:action_type
Third argument — record and/or arguments
The third argument may be:
- omitted — check permission only
- a bare map — treated as the record attributes
- a keyword list with
:recordand/or:arguments— the latter supplies action-argument values for scopes that use^arg(:name)templates (seeresolve_argumentandguides/argument-based-scope.md)
Examples
# Actor can perform :read action
assert_can :reader, :read
# Actor can perform specific action
assert_can :author, action: :submit_for_review
# Actor can perform any action of type
assert_can :editor, action_type: :update
# Actor can access record with specific attributes
assert_can :reader, :read, %{status: :published}
# Argument-based scope — actor, record, AND action arguments
assert_can :manager, :update,
record: %{author_id: "u1"},
arguments: %{center_id: "center_A"}
Asserts that an actor cannot perform an action.
See assert_can/3 for the accepted third-argument forms (bare record map
or record:/arguments: keyword list).
Examples
# Actor cannot perform :delete action
assert_cannot :viewer, :delete
# Actor cannot access record with specific attributes
assert_cannot :reader, :read, %{status: :draft}
# Argument-based scope — verify a value *outside* the actor's units is denied
assert_cannot :manager, :update,
record: %{author_id: "u1"},
arguments: %{center_id: "center_Z"}
Asserts that the specified fields are visible to an actor for an action.
Resolves the actor's field groups for the given action. If the actor has 4-part permissions (no field_group), all fields are considered visible. If field groups exist, only fields in the resolved groups are visible.
Examples
assert_fields_visible :reader, :read, [:name, :email]
assert_fields_visible :admin, :read, [:name, :salary, :ssn]