It sounds like you want to add another check to each of your policies, eg.
policy action_type([:create, :update, :destroy]) do
description "People with permission can ceate, update or destory"
authorize_if MyApp.Auth.Checks.Can
authorize_if expr(person.user_id == ^actor(:id))
access_type :strict
end
Policy checks cascade - if the first doesn’t pass, then the next one will be attempted.
By the by, there’s also the relates_to_actor_via which sounds like it would fit in here as well ![]()






















