]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Simplified policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Expanded constants expression: {{:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.AdminMember, query: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, for_fields: nil, solver_statement: nil, context: %{ private: %{ tracer: [], actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, ... }, authorize?: true, async_limiter: nil, loading_relationships?: true, pre_flight_authorization?: false, authorizer_log?: false }, parent_stack: [CauseBeacon.Organizations.Organization], shared: nil, accessing_from: %{ name: :admin_members, source: CauseBeacon.Organizations.Organization } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 184 ], properties_anno: %{} } } ], bypass?: nil, description: "Rejoin is only for superadmin!", access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 182 ], properties_anno: %{ description: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 183 ] } } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:invite, :set_rights], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 188 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 189 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 187 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:refused, :removed]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 194 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 195 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 193 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: status == :removed]}, check_module: Ash.Policy.Check.Expression, check_opts: [expr: status == :removed, access_type: :filter], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 199 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 200 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 201 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 198 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 206 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :refused]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 207 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 208 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 209 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 205 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :accepted])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :accepted]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 213 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 214 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 212 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [ action: [:set_default_member, :unset_default_member], access_type: :filter ]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 218 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {218, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 217 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:read, :search], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 228 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil ]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 229 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 230 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 231 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 232 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 226 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ]} => false, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]} => true, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]} => false, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => :unknown, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => :unknown }, data_facts: %{} }} Policy.solve expression: {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}} strict_check_scenarios filtered scenarios: [ %{ {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => true }, %{ {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => true } ] 20:40:31.299 [error] Successful authorization: CauseBeacon.Organizations.AdminMember.read Generated Filter: user.id == "f3c0d977-5d34-4207-a6db-d280f3631376" or exists(organization.admin_members.user, id == "f3c0d977-5d34-4207-a6db-d280f3631376") Policy Breakdown user: %{id: "f3c0d977-5d34-4207-a6db-d280f3631376"} Policy | ?: condition: action in [:invite, :set_rights] Policy | ?: condition: action in [:set_default_member, :unset_default_member] Policy | ?: condition: action in [:read, :search] 20:40:31.301 [debug] QUERY OK source="admin_members" db=0.9ms SELECT a0."default", a0."id", a0."status", a0."level", a0."inserted_at", a0."updated_at", a0."organization_id", a0."user_id", a0."role_id" FROM "admin_members" AS a0 LEFT OUTER JOIN "public"."users" AS u1 ON a0."user_id" = u1."id" WHERE ((u1."id"::uuid = $1::uuid) OR exists((SELECT 1 FROM "public"."organizations" AS so0 INNER JOIN (SELECT ssa0."id" AS "id", ssa0."level" AS "level", ssa0."status" AS "status", ssa0."default" AS "default", ssa0."inserted_at" AS "inserted_at", ssa0."updated_at" AS "updated_at", ssa0."user_id" AS "user_id", ssa0."organization_id" AS "organization_id", ssa0."role_id" AS "role_id" FROM "public"."admin_members" AS ssa0 WHERE (ssa0."organization_id"::uuid = $2::uuid)) AS ss1 ON so0."id" = ss1."organization_id" INNER JOIN "public"."users" AS su2 ON ss1."user_id" = su2."id" WHERE (su2."id"::uuid = $3::uuid) AND (a0."organization_id" = so0."id")))) AND (a0."organization_id"::uuid = $4::uuid) ["f3c0d977-5d34-4207-a6db-d280f3631376", "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376", "eeba57e1-af01-4bcb-9338-fdd929e88ddb"] CanReadMemberNote filter: true Expanded constants expression: {false, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.MemberNote, query: #Ash.Query< resource: CauseBeacon.Organizations.MemberNote, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:id, :tag, :description, :inserted_at, :updated_at, :organization_id, :admin_member_id, :member_id, :access_level, :note_date] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.MemberNote, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:id, :tag, :description, :inserted_at, :updated_at, :organization_id, :admin_member_id, :member_id, :access_level, :note_date] >, for_fields: nil, solver_statement: nil, context: %{ private: %{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, ... }, authorize?: true, pre_flight_authorization?: false, authorizer_log?: false } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 78 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.Role.CanReadMemberNote, []}, check_module: CauseBeacon.Organizations.Role.CanReadMemberNote, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 79 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 75, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 77 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:destroy], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 84 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.Role.CanDeleteMemberNote, []}, check_module: CauseBeacon.Organizations.Role.CanDeleteMemberNote, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 85 ], properties_anno: %{} } } ], bypass?: nil, description: "This action is to remove a note!", access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 75, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 82 ], properties_anno: %{ description: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 83 ] } } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 89 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.Role.CanCreateMemberNote, []}, check_module: CauseBeacon.Organizations.Role.CanCreateMemberNote, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 90 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 75, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 88 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 94 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.Role.CanUpdateMemberNote, []}, check_module: CauseBeacon.Organizations.Role.CanUpdateMemberNote, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 95 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 75, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 93 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 99 ], properties_anno: %{} } } ], bypass?: true, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {99, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 98 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]} => false, {Ash.Policy.Check.ActionType, [type: [:destroy], access_type: :filter]} => false, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]} => false, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]} => false, {CauseBeacon.Organizations.Role.CanReadMemberNote, [access_type: :filter]} => true }, data_facts: %{} }} Policy.solve expression: false strict_check_scenarios boolean result: false strict_check_result: {:ok, false, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.MemberNote, query: #Ash.Query< resource: CauseBeacon.Organizations.MemberNote, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:id, :tag, :description, :inserted_at, :updated_at, :organization_id, :admin_member_id, :member_id, :access_level, :note_date] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.MemberNote, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:id, :tag, :description, :inserted_at, :updated_at, :organization_id, :admin_member_id, :member_id, :access_level, :note_date] >, for_fields: nil, solver_statement: false, context: %{ private: %{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, ... }, authorize?: true, pre_flight_authorization?: false, authorizer_log?: false } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 78 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.Role.CanReadMemberNote, []}, check_module: CauseBeacon.Organizations.Role.CanReadMemberNote, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 79 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 75, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 77 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:destroy], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 84 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.Role.CanDeleteMemberNote, []}, check_module: CauseBeacon.Organizations.Role.CanDeleteMemberNote, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 85 ], properties_anno: %{} } } ], bypass?: nil, description: "This action is to remove a note!", access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 75, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 82 ], properties_anno: %{ description: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 83 ] } } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 89 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.Role.CanCreateMemberNote, []}, check_module: CauseBeacon.Organizations.Role.CanCreateMemberNote, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 90 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 75, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 88 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 94 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.Role.CanUpdateMemberNote, []}, check_module: CauseBeacon.Organizations.Role.CanUpdateMemberNote, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 95 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 75, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 93 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 99 ], properties_anno: %{} } } ], bypass?: true, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {99, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/member_note.ex", location: 98 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]} => false, {Ash.Policy.Check.ActionType, [type: [:destroy], access_type: :filter]} => false, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]} => false, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]} => false, {CauseBeacon.Organizations.Role.CanReadMemberNote, [access_type: :filter]} => true }, data_facts: %{} }} 20:40:31.303 [debug] QUERY OK source="organizations" db=0.2ms SELECT o0."id" FROM "organizations" AS o0 WHERE (o0."id"::uuid = $1::uuid) ["eeba57e1-af01-4bcb-9338-fdd929e88ddb"] Initial policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Simplified policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Expanded constants expression: {{:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.AdminMember, query: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, load: [ role: #Ash.Query< resource: CauseBeacon.Organizations.Role, load: [ permissions: #Ash.Query ] > ], select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, load: [ role: #Ash.Query< resource: CauseBeacon.Organizations.Role, load: [ permissions: #Ash.Query ] > ], select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, for_fields: nil, solver_statement: nil, context: %{ private: %{ tracer: [], actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, ... }, authorize?: true, async_limiter: nil, loading_relationships?: true, pre_flight_authorization?: false, authorizer_log?: false }, parent_stack: [CauseBeacon.Organizations.Organization], shared: nil, accessing_from: %{ name: :current_admin_member, source: CauseBeacon.Organizations.Organization } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 184 ], properties_anno: %{} } } ], bypass?: nil, description: "Rejoin is only for superadmin!", access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 182 ], properties_anno: %{ description: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 183 ] } } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:invite, :set_rights], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 188 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 189 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 187 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:refused, :removed]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 194 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 195 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 193 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: status == :removed]}, check_module: Ash.Policy.Check.Expression, check_opts: [expr: status == :removed, access_type: :filter], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 199 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 200 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 201 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 198 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 206 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :refused]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 207 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 208 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 209 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 205 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :accepted])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :accepted]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 213 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 214 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 212 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [ action: [:set_default_member, :unset_default_member], access_type: :filter ]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 218 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {218, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 217 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:read, :search], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 228 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil ]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 229 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 230 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 231 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 232 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 226 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ]} => false, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]} => true, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]} => false, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => :unknown, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => :unknown }, data_facts: %{} }} Policy.solve expression: {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}} strict_check_scenarios filtered scenarios: [ %{ {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => true }, %{ {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => true } ] 20:40:31.307 [error] Successful authorization: CauseBeacon.Organizations.AdminMember.read Generated Filter: user.id == "f3c0d977-5d34-4207-a6db-d280f3631376" or exists(organization.admin_members.user, id == "f3c0d977-5d34-4207-a6db-d280f3631376") Policy Breakdown user: %{id: "f3c0d977-5d34-4207-a6db-d280f3631376"} Policy | ?: condition: action in [:invite, :set_rights] Policy | ?: condition: action in [:set_default_member, :unset_default_member] Policy | ?: condition: action in [:read, :search] 20:40:31.308 [debug] QUERY OK source="admin_members" db=0.7ms SELECT a0."default", a0."id", a0."status", a0."level", a0."inserted_at", a0."updated_at", a0."organization_id", a0."user_id", a0."role_id" FROM "admin_members" AS a0 LEFT OUTER JOIN "public"."users" AS u1 ON a0."user_id" = u1."id" WHERE (a0."user_id"::uuid = $1::uuid) AND (a0."status"::varchar = $2::varchar) AND (a0."organization_id"::uuid = ANY($3::uuid[])) AND (a0."organization_id"::uuid = $4::uuid) AND ((u1."id"::uuid = $5::uuid) OR exists((SELECT 1 FROM "public"."organizations" AS so0 INNER JOIN (SELECT ssa0."id" AS "id", ssa0."level" AS "level", ssa0."status" AS "status", ssa0."default" AS "default", ssa0."inserted_at" AS "inserted_at", ssa0."updated_at" AS "updated_at", ssa0."user_id" AS "user_id", ssa0."organization_id" AS "organization_id", ssa0."role_id" AS "role_id" FROM "public"."admin_members" AS ssa0 WHERE (ssa0."organization_id"::uuid = $6::uuid)) AS ss1 ON so0."id" = ss1."organization_id" INNER JOIN "public"."users" AS su2 ON ss1."user_id" = su2."id" WHERE (su2."id"::uuid = $7::uuid) AND (a0."organization_id" = so0."id")))) ["f3c0d977-5d34-4207-a6db-d280f3631376", :accepted, ["eeba57e1-af01-4bcb-9338-fdd929e88ddb"], "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376", "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376"] Initial policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:or, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: admin_member_count > 0, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {:and, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}}} Simplified policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:or, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: admin_member_count > 0, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {:and, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}}} Expanded constants expression: {{Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.Role, query: #Ash.Query< resource: CauseBeacon.Organizations.Role, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, load: [ permissions: #Ash.Query ], select: [:id, :name, :inserted_at, :updated_at, :organization_id] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.Role, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, load: [ permissions: #Ash.Query ], select: [:id, :name, :inserted_at, :updated_at, :organization_id] >, for_fields: nil, solver_statement: nil, context: %{ private: %{ tracer: [], actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, ... }, authorize?: true, async_limiter: nil, loading_relationships?: true, pre_flight_authorization?: false, authorizer_log?: false }, parent_stack: [CauseBeacon.Organizations.AdminMember, CauseBeacon.Organizations.Organization], shared: nil, accessing_from: %{ name: :role, source: CauseBeacon.Organizations.AdminMember } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: admin_member_count > 0]}, check_module: Ash.Policy.Check.Expression, check_opts: [expr: admin_member_count > 0, access_type: :filter], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 28 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 29 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 30 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 25, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 27 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 34 ], properties_anno: %{} } } ], bypass?: true, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {34, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 33 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil ]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 38 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {38, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 37 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:create, :update], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 42 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {42, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 41 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]} => false, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]} => false, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]} => false, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]} => false, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => :unknown }, data_facts: %{} }} Policy.solve expression: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} strict_check_scenarios filtered scenarios: [ %{ {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => true } ] 20:40:31.309 [error] Successful authorization: CauseBeacon.Organizations.Role.read Generated Filter: exists(organization.admin_members.user, id == "f3c0d977-5d34-4207-a6db-d280f3631376") Policy Breakdown user: %{id: "f3c0d977-5d34-4207-a6db-d280f3631376"} Policy | 🔎: condition: action.type == :read authorize if: record.organization.admin_members.user == actor | exists(organization.admin_members.user, [id: "f3c0d977-5d34-4207-a6db-d280f3631376"]) | ✓ | 🔎 Policy | ?: condition: action.type in [:create, :update] 20:40:31.310 [debug] QUERY OK source="roles" db=0.4ms SELECT r0."id", r0."name", r0."inserted_at", r0."updated_at", r0."organization_id" FROM "roles" AS r0 WHERE (r0."organization_id"::uuid = $1::uuid) AND (r0."id"::uuid = ANY($2::uuid[])) AND (exists((SELECT 1 FROM "public"."organizations" AS so0 INNER JOIN (SELECT ssa0."id" AS "id", ssa0."level" AS "level", ssa0."status" AS "status", ssa0."default" AS "default", ssa0."inserted_at" AS "inserted_at", ssa0."updated_at" AS "updated_at", ssa0."user_id" AS "user_id", ssa0."organization_id" AS "organization_id", ssa0."role_id" AS "role_id" FROM "public"."admin_members" AS ssa0 WHERE (ssa0."organization_id"::uuid = $3::uuid)) AS ss1 ON so0."id" = ss1."organization_id" INNER JOIN "public"."users" AS su2 ON ss1."user_id" = su2."id" WHERE (su2."id"::uuid = $4::uuid) AND (r0."organization_id" = so0."id")))) ["eeba57e1-af01-4bcb-9338-fdd929e88ddb", [nil], "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376"] Initial policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Simplified policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Expanded constants expression: {{:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.AdminMember, query: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, for_fields: nil, solver_statement: nil, context: %{ private: %{ tracer: [], actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, ... }, authorize?: true, async_limiter: nil, loading_relationships?: true, pre_flight_authorization?: false, authorizer_log?: false }, parent_stack: [CauseBeacon.Organizations.Organization], shared: nil, accessing_from: %{ name: :admin_members, source: CauseBeacon.Organizations.Organization } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 184 ], properties_anno: %{} } } ], bypass?: nil, description: "Rejoin is only for superadmin!", access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 182 ], properties_anno: %{ description: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 183 ] } } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:invite, :set_rights], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 188 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 189 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 187 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:refused, :removed]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 194 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 195 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 193 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: status == :removed]}, check_module: Ash.Policy.Check.Expression, check_opts: [expr: status == :removed, access_type: :filter], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 199 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 200 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 201 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 198 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 206 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :refused]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 207 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 208 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 209 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 205 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :accepted])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :accepted]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 213 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 214 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 212 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [ action: [:set_default_member, :unset_default_member], access_type: :filter ]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 218 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {218, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 217 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:read, :search], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 228 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil ]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 229 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 230 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 231 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 232 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 226 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ]} => false, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]} => true, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]} => false, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => :unknown, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => :unknown }, data_facts: %{} }} Policy.solve expression: {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}} strict_check_scenarios filtered scenarios: [ %{ {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => true }, %{ {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => true } ] 20:40:31.314 [error] Successful authorization: CauseBeacon.Organizations.AdminMember.read Generated Filter: user.id == "f3c0d977-5d34-4207-a6db-d280f3631376" or exists(organization.admin_members.user, id == "f3c0d977-5d34-4207-a6db-d280f3631376") Policy Breakdown user: %{id: "f3c0d977-5d34-4207-a6db-d280f3631376"} Policy | ?: condition: action in [:invite, :set_rights] Policy | ?: condition: action in [:set_default_member, :unset_default_member] Policy | ?: condition: action in [:read, :search] 20:40:31.315 [debug] QUERY OK source="admin_members" db=0.7ms SELECT a0."default", a0."id", a0."status", a0."level", a0."inserted_at", a0."updated_at", a0."organization_id", a0."user_id", a0."role_id" FROM "admin_members" AS a0 LEFT OUTER JOIN "public"."users" AS u1 ON a0."user_id" = u1."id" WHERE ((u1."id"::uuid = $1::uuid) OR exists((SELECT 1 FROM "public"."organizations" AS so0 INNER JOIN (SELECT ssa0."id" AS "id", ssa0."level" AS "level", ssa0."status" AS "status", ssa0."default" AS "default", ssa0."inserted_at" AS "inserted_at", ssa0."updated_at" AS "updated_at", ssa0."user_id" AS "user_id", ssa0."organization_id" AS "organization_id", ssa0."role_id" AS "role_id" FROM "public"."admin_members" AS ssa0 WHERE (ssa0."organization_id"::uuid = $2::uuid)) AS ss1 ON so0."id" = ss1."organization_id" INNER JOIN "public"."users" AS su2 ON ss1."user_id" = su2."id" WHERE (su2."id"::uuid = $3::uuid) AND (a0."organization_id" = so0."id")))) AND (a0."organization_id"::uuid = $4::uuid) ["f3c0d977-5d34-4207-a6db-d280f3631376", "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376", "eeba57e1-af01-4bcb-9338-fdd929e88ddb"] 20:40:31.316 [debug] QUERY OK source="organizations" db=0.1ms SELECT o0."id" FROM "organizations" AS o0 WHERE (o0."id"::uuid = $1::uuid) ["eeba57e1-af01-4bcb-9338-fdd929e88ddb"] Initial policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Simplified policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Expanded constants expression: {{:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.AdminMember, query: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, load: [ role: #Ash.Query< resource: CauseBeacon.Organizations.Role, load: [ permissions: #Ash.Query ] > ], select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, load: [ role: #Ash.Query< resource: CauseBeacon.Organizations.Role, load: [ permissions: #Ash.Query ] > ], select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, for_fields: nil, solver_statement: nil, context: %{ private: %{ tracer: [], actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, ... }, authorize?: true, async_limiter: nil, loading_relationships?: true, pre_flight_authorization?: false, authorizer_log?: false }, parent_stack: [CauseBeacon.Organizations.Organization], shared: nil, accessing_from: %{ name: :current_admin_member, source: CauseBeacon.Organizations.Organization } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 184 ], properties_anno: %{} } } ], bypass?: nil, description: "Rejoin is only for superadmin!", access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 182 ], properties_anno: %{ description: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 183 ] } } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:invite, :set_rights], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 188 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 189 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 187 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:refused, :removed]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 194 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 195 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 193 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: status == :removed]}, check_module: Ash.Policy.Check.Expression, check_opts: [expr: status == :removed, access_type: :filter], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 199 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 200 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 201 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 198 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 206 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :refused]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 207 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 208 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 209 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 205 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :accepted])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :accepted]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 213 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 214 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 212 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [ action: [:set_default_member, :unset_default_member], access_type: :filter ]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 218 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {218, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 217 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:read, :search], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 228 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil ]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 229 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 230 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 231 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 232 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 226 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ]} => false, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]} => true, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]} => false, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => :unknown, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => :unknown }, data_facts: %{} }} Policy.solve expression: {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}} strict_check_scenarios filtered scenarios: [ %{ {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => true }, %{ {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => true } ] 20:40:31.320 [error] Successful authorization: CauseBeacon.Organizations.AdminMember.read Generated Filter: user.id == "f3c0d977-5d34-4207-a6db-d280f3631376" or exists(organization.admin_members.user, id == "f3c0d977-5d34-4207-a6db-d280f3631376") Policy Breakdown user: %{id: "f3c0d977-5d34-4207-a6db-d280f3631376"} Policy | ?: condition: action in [:invite, :set_rights] Policy | ?: condition: action in [:set_default_member, :unset_default_member] Policy | ?: condition: action in [:read, :search] 20:40:31.321 [debug] QUERY OK source="admin_members" db=0.7ms SELECT a0."default", a0."id", a0."status", a0."level", a0."inserted_at", a0."updated_at", a0."organization_id", a0."user_id", a0."role_id" FROM "admin_members" AS a0 LEFT OUTER JOIN "public"."users" AS u1 ON a0."user_id" = u1."id" WHERE (a0."user_id"::uuid = $1::uuid) AND (a0."status"::varchar = $2::varchar) AND (a0."organization_id"::uuid = ANY($3::uuid[])) AND (a0."organization_id"::uuid = $4::uuid) AND ((u1."id"::uuid = $5::uuid) OR exists((SELECT 1 FROM "public"."organizations" AS so0 INNER JOIN (SELECT ssa0."id" AS "id", ssa0."level" AS "level", ssa0."status" AS "status", ssa0."default" AS "default", ssa0."inserted_at" AS "inserted_at", ssa0."updated_at" AS "updated_at", ssa0."user_id" AS "user_id", ssa0."organization_id" AS "organization_id", ssa0."role_id" AS "role_id" FROM "public"."admin_members" AS ssa0 WHERE (ssa0."organization_id"::uuid = $6::uuid)) AS ss1 ON so0."id" = ss1."organization_id" INNER JOIN "public"."users" AS su2 ON ss1."user_id" = su2."id" WHERE (su2."id"::uuid = $7::uuid) AND (a0."organization_id" = so0."id")))) ["f3c0d977-5d34-4207-a6db-d280f3631376", :accepted, ["eeba57e1-af01-4bcb-9338-fdd929e88ddb"], "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376", "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376"] Initial policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:or, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: admin_member_count > 0, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {:and, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}}} Simplified policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:or, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: admin_member_count > 0, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {:and, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]}, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]}}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}}} Expanded constants expression: {{Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.Role, query: #Ash.Query< resource: CauseBeacon.Organizations.Role, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, load: [ permissions: #Ash.Query ], select: [:id, :name, :inserted_at, :updated_at, :organization_id] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.Role, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, load: [ permissions: #Ash.Query ], select: [:id, :name, :inserted_at, :updated_at, :organization_id] >, for_fields: nil, solver_statement: nil, context: %{ private: %{ tracer: [], actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, ... }, authorize?: true, async_limiter: nil, loading_relationships?: true, pre_flight_authorization?: false, authorizer_log?: false }, parent_stack: [CauseBeacon.Organizations.AdminMember, CauseBeacon.Organizations.Organization], shared: nil, accessing_from: %{ name: :role, source: CauseBeacon.Organizations.AdminMember } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: admin_member_count > 0]}, check_module: Ash.Policy.Check.Expression, check_opts: [expr: admin_member_count > 0, access_type: :filter], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 28 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 29 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 30 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 25, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 27 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 34 ], properties_anno: %{} } } ], bypass?: true, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {34, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 33 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil ]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 38 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {38, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 37 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.ActionType, [type: [:create, :update], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 42 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {42, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/role.ex", location: 41 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.Action, [action: [:destroy], access_type: :filter]} => false, {Ash.Policy.Check.ActionType, [type: [:create], access_type: :filter]} => false, {Ash.Policy.Check.ActionType, [type: [:read], access_type: :filter]} => true, {Ash.Policy.Check.ActionType, [type: [:update], access_type: :filter]} => false, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]} => false, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => :unknown }, data_facts: %{} }} Policy.solve expression: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} strict_check_scenarios filtered scenarios: [ %{ {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => true } ] 20:40:31.322 [error] Successful authorization: CauseBeacon.Organizations.Role.read Generated Filter: exists(organization.admin_members.user, id == "f3c0d977-5d34-4207-a6db-d280f3631376") Policy Breakdown user: %{id: "f3c0d977-5d34-4207-a6db-d280f3631376"} Policy | 🔎: condition: action.type == :read authorize if: record.organization.admin_members.user == actor | exists(organization.admin_members.user, [id: "f3c0d977-5d34-4207-a6db-d280f3631376"]) | ✓ | 🔎 Policy | ?: condition: action.type in [:create, :update] 20:40:31.323 [debug] QUERY OK source="roles" db=0.4ms SELECT r0."id", r0."name", r0."inserted_at", r0."updated_at", r0."organization_id" FROM "roles" AS r0 WHERE (r0."organization_id"::uuid = $1::uuid) AND (r0."id"::uuid = ANY($2::uuid[])) AND (exists((SELECT 1 FROM "public"."organizations" AS so0 INNER JOIN (SELECT ssa0."id" AS "id", ssa0."level" AS "level", ssa0."status" AS "status", ssa0."default" AS "default", ssa0."inserted_at" AS "inserted_at", ssa0."updated_at" AS "updated_at", ssa0."user_id" AS "user_id", ssa0."organization_id" AS "organization_id", ssa0."role_id" AS "role_id" FROM "public"."admin_members" AS ssa0 WHERE (ssa0."organization_id"::uuid = $3::uuid)) AS ss1 ON so0."id" = ss1."organization_id" INNER JOIN "public"."users" AS su2 ON ss1."user_id" = su2."id" WHERE (su2."id"::uuid = $4::uuid) AND (r0."organization_id" = so0."id")))) ["eeba57e1-af01-4bcb-9338-fdd929e88ddb", [nil], "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376"] Initial policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Simplified policy expression: {:and, {:or, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:or, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]}, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]}, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed]), access_type: :filter]}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: status == :removed, access_type: :filter]}}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {CauseBeacon.Organizations.AdminMember.CanManageResource, [access_type: :filter]}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]}, {:or, {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true, access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused]), access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}}}}}}}}, {:and, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:not, {:and, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]}, {:and, {:not, {Ash.Policy.Check.Expression, [ expr: not (status in [:invited, :accepted]), access_type: :filter ]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}}, {:and, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]}}, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}}}}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:not, {:and, {:or, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]}, {Ash.Policy.Check.Action, [action: [:search], access_type: :filter]}}, {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {:or, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]}, {:or, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]}, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, ... ]}}}}}}}}}}}}}}}}} Expanded constants expression: {{:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}}, %Ash.Policy.Authorizer{ actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, accepted_admin_members: #Ash.NotLoaded<:relationship, field: :accepted_admin_members>, organizations: #Ash.NotLoaded<:relationship, field: :organizations>, notifications: #Ash.NotLoaded<:relationship, field: :notifications>, __meta__: #Ecto.Schema.Metadata<:loaded, "users"> }, resource: CauseBeacon.Organizations.AdminMember, query: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, changeset: nil, action_input: nil, data: nil, action: %Ash.Resource.Actions.Read{ arguments: [], description: nil, filter: nil, filters: [], get_by: [], get?: false, manual: nil, metadata: [], skip_unknown_inputs: [], skip_global_validations?: false, modify_query: nil, multitenancy: :enforce, name: :read, pagination: %Ash.Resource.Actions.Read.Pagination{ default_limit: nil, max_page_size: 250, countable: true, stable_sort: nil, required?: false, keyset?: true, offset?: true, __spark_metadata__: nil }, preparations: [], primary?: true, touches_resources: [], timeout: nil, transaction?: false, type: :read, __spark_metadata__: nil }, domain: CauseBeacon.Organizations, scenarios: nil, real_scenarios: nil, check_scenarios: nil, subject: #Ash.Query< resource: CauseBeacon.Organizations.AdminMember, action: :read, tenant: "eeba57e1-af01-4bcb-9338-fdd929e88ddb", filter: #Ash.Filter, select: [:default, :id, :status, :level, :inserted_at, :updated_at, :organization_id, :user_id, :role_id] >, for_fields: nil, solver_statement: nil, context: %{ private: %{ tracer: [], actor: %CauseBeacon.Accounts.User{ confirmed_at: nil, translations: nil, id: "f3c0d977-5d34-4207-a6db-d280f3631376", email: #Ash.CiString<"berniece_haag@hammes.name">, first_name: "Molly", last_name: "Quitzon", nickname: nil, phone_number: "55555555", phone_country_code: "852", photo_url: "https://robohash.org/set_set2/bgset_bg2/T2XNyvJ", locale: :en, super_admin: false, gender: :female, date_of_birth: ~D[1988-07-10], preferred_language: :nl, nationality: :in, passport_number: "faoMUuhx", national_id_number: "kTjhpdhb", permanent_resident: true, inserted_at: ~U[2025-10-20 12:40:31.192958Z], updated_at: ~U[2025-10-20 12:40:31.192958Z], first_name_zh: #Ash.NotLoaded<:calculation, field: :first_name_zh>, last_name_zh: #Ash.NotLoaded<:calculation, field: :last_name_zh>, full_name: #Ash.NotLoaded<:calculation, field: :full_name>, display_name: #Ash.NotLoaded<:calculation, field: :display_name>, full_phone_number: #Ash.NotLoaded<:calculation, field: :full_phone_number>, age: #Ash.NotLoaded<:calculation, field: :age>, members: #Ash.NotLoaded<:relationship, field: :members>, activated_members: #Ash.NotLoaded<:relationship, field: :activated_members>, admin_members: #Ash.NotLoaded<:relationship, field: :admin_members>, ... }, authorize?: true, async_limiter: nil, loading_relationships?: true, pre_flight_authorization?: false, authorizer_log?: false }, parent_stack: [CauseBeacon.Organizations.Organization], shared: nil, accessing_from: %{ name: :admin_members, source: CauseBeacon.Organizations.Organization } }, policies: [ %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 184 ], properties_anno: %{} } } ], bypass?: nil, description: "Rejoin is only for superadmin!", access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 182 ], properties_anno: %{ description: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 183 ] } } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:invite, :set_rights], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 188 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 189 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 187 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:refused, :removed])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:refused, :removed]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 194 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Static, [result: true]}, check_module: Ash.Policy.Check.Static, check_opts: [result: true, access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 195 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 193 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: status == :removed]}, check_module: Ash.Policy.Check.Expression, check_opts: [expr: status == :removed, access_type: :filter], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 199 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 200 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {CauseBeacon.Organizations.AdminMember.CanManageResource, []}, check_module: CauseBeacon.Organizations.AdminMember.CanManageResource, check_opts: [access_type: :filter], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 201 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 198 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.ActorAttributeEquals, [attribute: :super_admin, value: true]}, check_module: Ash.Policy.Check.ActorAttributeEquals, check_opts: [ attribute: :super_admin, value: true, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 206 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :refused])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :refused]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 207 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 208 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 209 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 205 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.Expression, [expr: not (status in [:invited, :accepted])]}, check_module: Ash.Policy.Check.Expression, check_opts: [ expr: not (status in [:invited, :accepted]), access_type: :filter ], type: :forbid_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 213 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 214 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 212 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [ action: [:set_default_member, :unset_default_member], access_type: :filter ]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 218 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: {218, 7}, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 217 ], properties_anno: %{} } }, %Ash.Policy.Policy{ condition: [ {Ash.Policy.Check.Action, [action: [:read, :search], access_type: :filter]} ], policies: [ %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 228 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil ]}, check_module: Ash.Policy.Check.RelatesToActorVia, check_opts: [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 229 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [source: CauseBeacon.Accounts.User, relationship: :admin_members]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 230 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 231 ], properties_anno: %{} } }, %Ash.Policy.Check{ check: {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member ]}, check_module: Ash.Policy.Check.AccessingFrom, check_opts: [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ], type: :authorize_if, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 232 ], properties_anno: %{} } } ], bypass?: nil, description: nil, access_type: :filter, __spark_metadata__: %Spark.Dsl.Entity.Meta{ anno: [ end_location: 181, file: ~c"/Users/allen/Documents/clients/cause_beacon/cause_beacon/lib/cause_beacon/organizations/admin_member.ex", location: 226 ], properties_anno: %{} } } ], facts: %{ {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :accepted_admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Accounts.User, relationship: :admin_members, access_type: :filter ]} => false, {Ash.Policy.Check.AccessingFrom, [ source: CauseBeacon.Activities.AssigneeJoin, relationship: :admin_member, access_type: :filter ]} => false, {Ash.Policy.Check.Action, [action: [:accept], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:invite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:read], access_type: :filter]} => true, {Ash.Policy.Check.Action, [action: [:refuse], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:remove], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_default_member], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:set_rights], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:super_admin_reinvite], access_type: :filter]} => false, {Ash.Policy.Check.Action, [action: [:unset_default_member], access_type: :filter]} => false, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => :unknown, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => :unknown }, data_facts: %{} }} Policy.solve expression: {:or, {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]}, {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]}} strict_check_scenarios filtered scenarios: [ %{ {Ash.Policy.Check.RelatesToActorVia, [ relationship_path: [:organization, :admin_members, :user], field: nil, access_type: :filter ]} => true }, %{ {Ash.Policy.Check.RelatesToActorVia, [relationship_path: [:user], field: nil, access_type: :filter]} => true } ] 20:40:31.326 [error] Successful authorization: CauseBeacon.Organizations.AdminMember.read Generated Filter: user.id == "f3c0d977-5d34-4207-a6db-d280f3631376" or exists(organization.admin_members.user, id == "f3c0d977-5d34-4207-a6db-d280f3631376") Policy Breakdown user: %{id: "f3c0d977-5d34-4207-a6db-d280f3631376"} Policy | ?: condition: action in [:invite, :set_rights] Policy | ?: condition: action in [:set_default_member, :unset_default_member] Policy | ?: condition: action in [:read, :search] 20:40:31.327 [debug] QUERY OK source="admin_members" db=1.0ms SELECT a0."default", a0."id", a0."status", a0."level", a0."inserted_at", a0."updated_at", a0."organization_id", a0."user_id", a0."role_id" FROM "admin_members" AS a0 LEFT OUTER JOIN "public"."users" AS u1 ON a0."user_id" = u1."id" WHERE ((u1."id"::uuid = $1::uuid) OR exists((SELECT 1 FROM "public"."organizations" AS so0 INNER JOIN (SELECT ssa0."id" AS "id", ssa0."level" AS "level", ssa0."status" AS "status", ssa0."default" AS "default", ssa0."inserted_at" AS "inserted_at", ssa0."updated_at" AS "updated_at", ssa0."user_id" AS "user_id", ssa0."organization_id" AS "organization_id", ssa0."role_id" AS "role_id" FROM "public"."admin_members" AS ssa0 WHERE (ssa0."organization_id"::uuid = $2::uuid)) AS ss1 ON so0."id" = ss1."organization_id" INNER JOIN "public"."users" AS su2 ON ss1."user_id" = su2."id" WHERE (su2."id"::uuid = $3::uuid) AND (a0."organization_id" = so0."id")))) AND (a0."organization_id"::uuid = $4::uuid) ["f3c0d977-5d34-4207-a6db-d280f3631376", "eeba57e1-af01-4bcb-9338-fdd929e88ddb", "f3c0d977-5d34-4207-a6db-d280f3631376", "eeba57e1-af01-4bcb-9338-fdd929e88ddb"] CanReadMemberNote filter: true 20:40:31.327 [error] Successful authorization: CauseBeacon.Organizations.MemberNote.read Policy Breakdown user: %{id: "f3c0d977-5d34-4207-a6db-d280f3631376"} Policy | 🌟: condition: action.type == :read authorize if: actor.super_admin == true | ✘ | ⬇ authorize if: checks if a user's role authorize read of a member's note | true | ✓ | 🌟 20:40:31.327 [debug] CauseBeacon.Organizations.MemberNote.read: skipped query run due to filter being false" 1) test Test read of member's notes admin read the member-notes (CauseBeacon.Organizations.MemberNotesTest) test/cause_beacon/organizations/member_notes_test.exs:51 Assertion with == failed code: assert length(member_notes) == 2 left: 0 right: 2 stacktrace: test/cause_beacon/organizations/member_notes_test.exs:63: (test) Finished in 0.2 seconds (0.2s async, 0.00s sync) 7 tests, 1 failure, 6 excluded ☸ internal in cause_beacon on  master [!] is 📦 v0.1.0 via 💧 v1.18.4 (OTP 28) took 2s ❯