AshGrant.PolicyTest.Assertions (AshGrant v0.16.0)

Copy Markdown View Source

Assertion macros for policy tests.

Provides two assertion macros:

These macros are automatically imported when you use AshGrant.PolicyTest.

Summary

Functions

Asserts that an actor can perform an action.

Asserts that an actor cannot perform an action.

Asserts that the specified fields are hidden from an actor for an action.

Asserts that the specified fields are visible to an actor for an action.

Functions

assert_can(actor_name, action_spec)

(macro)

Asserts that an actor can perform an action.

Action Specifiers

The second argument can be:

  • An atom for action name shorthand: :read, :update
  • A keyword list with :action or :action_type

Third argument — record and/or arguments

The third argument may be:

  • omitted — check permission only
  • a bare map — treated as the record attributes
  • a keyword list with :record and/or :arguments — the latter supplies action-argument values for scopes that use ^arg(:name) templates (see resolve_argument and guides/argument-based-scope.md)

Examples

# Actor can perform :read action
assert_can :reader, :read

# Actor can perform specific action
assert_can :author, action: :submit_for_review

# Actor can perform any action of type
assert_can :editor, action_type: :update

# Actor can access record with specific attributes
assert_can :reader, :read, %{status: :published}

# Argument-based scope — actor, record, AND action arguments
assert_can :manager, :update,
  record: %{author_id: "u1"},
  arguments: %{center_id: "center_A"}

assert_can(actor_name, action_spec, record)

(macro)

assert_cannot(actor_name, action_spec)

(macro)

Asserts that an actor cannot perform an action.

See assert_can/3 for the accepted third-argument forms (bare record map or record:/arguments: keyword list).

Examples

# Actor cannot perform :delete action
assert_cannot :viewer, :delete

# Actor cannot access record with specific attributes
assert_cannot :reader, :read, %{status: :draft}

# Argument-based scope — verify a value *outside* the actor's units is denied
assert_cannot :manager, :update,
  record: %{author_id: "u1"},
  arguments: %{center_id: "center_Z"}

assert_cannot(actor_name, action_spec, record)

(macro)

assert_fields_hidden(actor_name, action_spec, fields)

(macro)

Asserts that the specified fields are hidden from an actor for an action.

Resolves the actor's field groups for the given action. If the actor has 4-part permissions (no field_group), no fields are hidden and this assertion will fail. If the actor is denied, all fields are hidden.

Examples

assert_fields_hidden :reader, :read, [:salary, :ssn]
assert_fields_hidden :guest, :read, [:name, :email]

assert_fields_visible(actor_name, action_spec, fields)

(macro)

Asserts that the specified fields are visible to an actor for an action.

Resolves the actor's field groups for the given action. If the actor has 4-part permissions (no field_group), all fields are considered visible. If field groups exist, only fields in the resolved groups are visible.

Examples

assert_fields_visible :reader, :read, [:name, :email]
assert_fields_visible :admin, :read, [:name, :salary, :ssn]