AshGrant.PermissionValidation (AshGrant v0.17.0)

Copy Markdown View Source

Validates resolved actor permissions and signals invalid combinations.

Currently enforces one rule (issue #117): a permission that is a deny (! prefix) must not carry a field_group (5th part). A field-group deny is invalid because field-group access is positive-only — column restrictions belong in the resource's field_group definition (inherits/except/mask), and a deny carrying a field_group currently over-denies the entire action (fail-closed) rather than the named group.

The validator never changes the authorization outcome; it only signals the invalid permission according to the configured mode:

The mode is configured per resource via the field_group_permissions option in the ash_grant DSL block (default :warn).

Summary

Functions

Validates permissions and signals any invalid deny+field_group entries per mode.

Types

mode()

@type mode() :: :off | :warn | :strict

Functions

validate(permissions, mode, opts \\ [])

@spec validate(list(), mode(), keyword()) :: :ok

Validates permissions and signals any invalid deny+field_group entries per mode.

Accepts the same permission representations the resolver may return (strings, %AshGrant.Permission{} structs, %AshGrant.PermissionInput{}, or Permissionable maps). Always returns :ok; raises InvalidPermissionError only in :strict mode when an offender is present.

Options

  • :resource — the resource module, included in the message for context.