I noticed that after upgrading to Ash 3.0, some of my policies stopped working because I was getting Ash.ForbiddenField when trying to fetch a relationship field.
For example, I have a create action in my resource that needs to check an id from a relationship on it.
I try to get the id using Ash.Changeset.get_data(changeset, :school_id), but this was returning Ash.ForbiddenField to me.
To make this work, I added the following to my policies:
field_policies do
field_policy :school_id do
authorize_if always()
end
end
So, my question is, is this a necessary step that I need to do for each relationship id field that I want to access in a changeset or is there some other way to achieve this without having to create a bunch of field_policies for each relationship of each resource?
Ash.Changeset.get_data is not truly reliable, because it is typically based off of a read, so you need to be defensive with it. If you have fields that not everyone who can see a resource can read, then you may need to look up those values from the database again, for example.
But you can also do what you’re showing, with a list of fields for simplicity, if everyone who can read a given resource can see the school_id
field_policy [:foo, :bar, :school_id] do
authorize_if always()
end
Should school_id be public? If you make school_idpublic?: false, with attribute_public?: false on the belongs_to relationship, then you won’t need to write field policies for it.
Thanks @zachdaniel , changing it to public? false did fix the issue.
Do we have someplace in Ash documentation where it goes more in depth about these options (public?, attribute_writable?, writable?, etc)? I feel that I don’t have the full grasp on what exactly each field does and the documentation in the belongs_to relationship lacks more examples and explanation about them.
