Doc: access policy fix and expansion #6573
Conversation
docs/datamodel/access_policies.rst
Outdated
| edgedb error: AccessPolicyError: access policy violation on insert of | ||
| default::BlogPost (User must have same ID as blog author) |
There was a problem hiding this comment.
I'm confused how this would be prevented by the access policy. This error message would only trigger if current_user is different from .author.id, but the User for .author is being selected here based on current_user, so they would have to match, right?
There was a problem hiding this comment.
Yeah, not a good example as we discussed last week. A better idea struck me which requires two globals but still simple enough and feels much more like a real world example.
raddevon
changed the title
Co-authored-by: Devon Campbell <[email protected]>
Co-authored-by: Devon Campbell <[email protected]>
Okay, I think I got them all! |
…-policy-fix-and-expansion
|
@raddevon Forgot all about this PR! In the meantime a small merge conflict popped up but has now been resolved. |
|
Okay, just added f005df8 on which operations return empty sets vs. which will show errors. Adding this is pretty nice as it allows a more thorough explanation on |
Fixes #6389 where a user noticed that the syntax declaration for access policies makes it look like annotations should be outside the braces when they should be inside, and that we don't have any access policy examples that show where annotations belong either so it took some experimentation to figure it out.
In our current example there is a bit of new learning to do so instead of declaring a new annotation at the same time, it uses the built-in
errmessageto show where to add such notes and then mentions in the breakdown below that other annotations can go in this space as well. Plus adds an example where you might see this error: where an app is configured wrongly such that a user is allowed to try to write a post but is prevented by the access policy.