Is there any reason that phoenix does not add these fields by default in validation ?
Casting foreign keys from outside data can open you up for some nasty vulnerabilities.
I saw a project that casted something like shop_id in their changesets and I could do whatever I wanted with them since I was practically “the owner” of every shop in their database.
The fact that it’s so easy to do in ecto + phoenix is a bit worrisome.
