Adding permissions for nested models

[Secretmapper]

Sorry if this has been addressed in the docs, but I can't seem to find it.

How do we add a permission for 'nested' models? For example, imagine a User, a Project, and Tasks:

task.project_id -> project.user_id -> user.id

I only want the user to be able to see, edit, etc. tasks if he owns the project.

[slashmili]

I did it by adding two plugs. for the route like /projects/10/tasks/20

plug :authorize_resource, model: Project, persisted: true, id_name: "project_id"
plug :authorize_resource, model: Task

[cpjk]

To add to @slashmili's answer, if you want a more custom authorization solution, it is fairly simple to implement yourself using custom plugs e.g. how it is done in https://github.com/cpjk/canary/blob/master/lib/canary/plugs.ex#L155-L170 :smile_cat: