Ectomancer.FieldAuth (Ectomancer v1.2.1)

Copy Markdown View Source

Field-level authorization for Ectomancer tools.

Allows filtering record fields based on actor permissions after a tool executes. Field auth is applied as a response transform — the DB query is unaffected, only the returned data is filtered.

Usage

expose MyApp.Accounts.User,
  field_authorize: fn actor, field ->
    case field do
      :password_hash -> actor.role == :admin
      :salary -> actor.role == :admin
      :email -> true
      _ -> actor != nil
    end
  end

The callback receives the actor and the field name (as an atom) and should return true (allow) or false (deny).

Summary

Functions

filter_fields(data, actor, auth_fn)

Filters fields from a tool result based on an authorization callback.

Functions

filter_fields(data, actor, auth_fn)

@spec filter_fields(any(), any(), function()) :: any()

Filters fields from a tool result based on an authorization callback.

Works with single structs, lists of structs, and plain maps.

Examples

iex> filter_fields(%User{email: "a@b.com", password_hash: "secret"}, %{role: :admin}, fn _, _ -> true end)
%{email: "a@b.com", password_hash: "secret"}

iex> filter_fields(%User{email: "a@b.com", password_hash: "secret"}, %{role: :user}, fn
...>   _actor, :password_hash -> false
...>   _actor, _ -> true
...> end)
%{email: "a@b.com"}