Ash Authorization: How to Permit Record Owners to Bypass Permission Check on Some Actions?

It sounds like you want to add another check to each of your policies, eg.

    policy action_type([:create, :update, :destroy]) do
      description "People with permission can ceate, update or destory"
      authorize_if MyApp.Auth.Checks.Can
      authorize_if expr(person.user_id == ^actor(:id))
      access_type :strict
    end

Policy checks cascade - if the first doesn’t pass, then the next one will be attempted.

By the by, there’s also the relates_to_actor_via which sounds like it would fit in here as well :slight_smile: