ash/test/policy/field_policy_test.exs

defmodule Ash.Test.Policy.FieldPolicyTest do
  @doc false
  use ExUnit.Case

  require Ash.Query

  alias Ash.Test.Support.PolicyField.{Api, Ticket, User}

  setup do
    rep = Api.create!(Ash.Changeset.new(User, %{role: :representative, points: 4}))
    user = Api.create!(Ash.Changeset.new(User, %{role: :user, points: 3}))
    admin = Api.create!(Ash.Changeset.new(User, %{role: :admin, points: 2}))
    other_user = Api.create!(Ash.Changeset.new(User, %{role: :user, points: 1}))

    [
      user: user,
      admin: admin,
      representative: rep,
      ticket:
        Api.create!(Ash.Changeset.new(Ticket, %{representative_id: rep.id, reporter_id: user.id})),
      other_ticket:
        Api.create!(
          Ash.Changeset.new(Ticket, %{representative_id: rep.id, reporter_id: other_user.id})
        )
    ]
  end

  describe "introspection" do
    test "introspection returns field policies" do
      assert [
               %Ash.Policy.FieldPolicy{bypass?: true},
               %Ash.Policy.FieldPolicy{bypass?: false},
               %Ash.Policy.FieldPolicy{bypass?: false},
               %Ash.Policy.FieldPolicy{bypass?: false},
               %Ash.Policy.FieldPolicy{bypass?: false}
             ] =
               Ash.Policy.Info.field_policies(User)
    end
  end

  describe "rendering fields" do
    test "when creating as a user that cannot see the field, its value is not displayed", %{
      representative: rep,
      user: user
    } do
      assert %Ash.ForbiddenField{field: :internal_status, type: :attribute} ==
               Ticket
               |> Ash.Changeset.for_create(
                 :create,
                 %{representative_id: rep.id, reporter_id: user.id, internal_status: :new},
                 authorize?: true,
                 actor: user
               )
               |> Api.create!(authorize?: true, actor: user)
               |> Map.get(:internal_status)
    end

    test "when destroying as a user that cannot see the field, its value is not displayed", %{
      representative: rep,
      user: user
    } do
      assert %Ash.ForbiddenField{field: :internal_status, type: :attribute} ==
               Ticket
               |> Ash.Changeset.for_create(
                 :create,
                 %{representative_id: rep.id, reporter_id: user.id, internal_status: :new},
                 authorize?: true,
                 actor: user
               )
               |> Api.create!(authorize?: false)
               |> Api.destroy!(authorize?: true, actor: user, return_destroyed?: true)
               |> Map.get(:internal_status)
    end

    test "when reading as a user that can see the field, its value is displayed", %{
      representative: representative
    } do
      assert :representative ==
               User
               |> Ash.Query.for_read(:read, authorize?: true, actor: representative)
               |> Ash.Query.filter(id == ^representative.id)
               |> Api.read_one!(authorize?: true, actor: representative)
               |> Map.get(:role)
    end

    test "bypasses take priority over subsequent policies", %{
      representative: representative,
      admin: admin
    } do
      assert :representative ==
               User
               |> Ash.Query.for_read(:read, authorize?: true, actor: admin)
               |> Ash.Query.filter(id == ^representative.id)
               |> Api.read_one!(authorize?: true, actor: admin)
               |> Map.get(:role)
    end

    test "can load a resource with a forbidden aggregate", %{
      representative: representative
    } do
      assert %Ash.ForbiddenField{field: :ticket_count, type: :aggregate} ==
               User
               |> Ash.Query.for_read(:read, authorize?: true, actor: representative)
               |> Ash.Query.filter(id == ^representative.id)
               |> Ash.Query.load([:ticket_count])
               |> Api.read_one!(authorize?: true, actor: representative)
               |> Map.get(:ticket_count)
    end

    test "when reading as a user that cant see the field, its value is not displayed", %{
      representative: representative,
      user: user
    } do
      assert %Ash.ForbiddenField{field: :role, type: :attribute} ==
               User
               |> Ash.Query.for_read(:read, authorize?: true, actor: representative)
               |> Ash.Query.filter(id == ^representative.id)
               |> Api.read_one!(authorize?: true, actor: user)
               |> Map.get(:role)
    end

    test "when loading as a user that cant see the field, its value is not displayed", %{
      representative: representative,
      user: user
    } do
      assert %Ash.ForbiddenField{field: :role, type: :attribute} ==
               User
               |> Ash.Query.select([])
               |> Ash.Query.for_read(:read, authorize?: true, actor: representative)
               |> Ash.Query.filter(id == ^representative.id)
               |> Api.read_one!(authorize?: true, actor: user)
               |> Api.load!(:role, authorize?: true)
               |> Map.get(:role)
    end

    test "when reading as a user that cant see the field with a `relates_to_actor_via` check, the value is not displayed",
         %{
           user: user,
           ticket: ticket,
           other_ticket: other_ticket
         } do
      assert nil ==
               Ticket
               |> Ash.Query.select(:status)
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)
               |> Ash.Query.filter(id == ^ticket.id)
               |> Api.read_one!()
               |> Map.get(:status)

      assert %Ash.ForbiddenField{} =
               Ticket
               |> Ash.Query.select(:status)
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)
               |> Ash.Query.filter(id == ^other_ticket.id)
               |> Api.read_one!()
               |> Map.get(:status)
    end

    test "reading is allowed through a relationship",
         %{representative: representative} do
      # someone who is allowed because it's accessed through the ticket
      assert [ticket] =
               Ticket
               |> Ash.Query.select([])
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: representative)
               |> Ash.Query.filter(reporter.ticket_count > 0)
               |> Ash.Query.load(reporter: [:ticket_count])
               |> Ash.Query.limit(1)
               |> Api.read!(authorize?: true)

      assert is_number(ticket.reporter.ticket_count)
      assert ticket.reporter.ticket_count > 0

      # can't read the value when reading the resource directly
      assert [user] =
               User
               |> Ash.Query.select([])
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: representative)
               |> Ash.Query.load([:ticket_count])
               |> Ash.Query.limit(1)
               |> Api.read!(authorize?: true)

      assert user.ticket_count == %Ash.ForbiddenField{
               field: :ticket_count,
               type: :aggregate
             }
    end

    test "reading is allowed through a multi level relationship",
         %{user: user} do
      assert [ticket] =
               Ticket
               |> Ash.Query.select([:internal_status])
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)
               |> Ash.Query.filter(reporter_id == ^user.id)
               |> Ash.Query.load(reporter: [:tickets])
               |> Api.read!(authorize?: true)

      assert ticket.internal_status == %Ash.ForbiddenField{
               field: :internal_status,
               type: :attribute
             }

      nested_ticket = ticket.reporter.tickets |> List.first()

      assert nested_ticket.internal_status == nil
    end
  end

  describe "filters" do
    test "filters are replaced with the appropriate field policies", %{
      representative: representative,
      user: user
    } do
      assert [] =
               User
               |> Ash.Query.select([])
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)
               |> Ash.Query.filter_input(role: :representative)
               |> Api.read!(authorize?: true)

      assert [_] =
               User
               |> Ash.Query.select([])
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: representative)
               |> Ash.Query.filter_input(role: :representative)
               |> Api.read!(authorize?: true)
    end

    test "it's possible to filter on values that are only allowed to be accessed from a parent",
         %{
           representative: representative,
           user: user
         } do
      # someone who is allowed because it's accessed through the ticket
      assert [ticket] =
               Ticket
               |> Ash.Query.select([])
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: representative)
               |> Ash.Query.filter(reporter.ticket_count > 0)
               |> Ash.Query.load(reporter: [:ticket_count])
               |> Ash.Query.limit(1)
               |> Api.read!(authorize?: true)

      assert is_number(ticket.reporter.ticket_count)
      assert ticket.reporter.ticket_count > 0

      # someone who isn't allowed to see the field
      assert [ticket] =
               Ticket
               |> Ash.Query.select([])
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)
               |> Ash.Query.filter(reporter.ticket_count > 0)
               |> Ash.Query.load(reporter: [:ticket_count])
               |> Ash.Query.limit(1)
               |> Api.read!(authorize?: true)

      assert ticket.reporter.ticket_count == %Ash.ForbiddenField{
               field: :ticket_count,
               type: :aggregate
             }
    end
  end

  describe "sorts" do
    test "sorts are replaced with the appropriate field policies", %{
      user: %{id: user_id} = user
    } do
      assert [%{id: ^user_id} | _] =
               User
               |> Ash.Query.select([:points])
               |> Ash.Query.sort_input(points: :asc_nils_last)
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)
               |> Api.read!()

      assert [_, _, _, %{id: ^user_id}] =
               User
               |> Ash.Query.select([:points])
               |> Ash.Query.sort_input(points: :asc_nils_first)
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)
               |> Api.read!()

      assert [_, _, %{id: ^user_id}, _] =
               User
               |> Ash.Query.select([:points])
               |> Ash.Query.sort(points: :asc_nils_first)
               |> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)
               |> Api.read!()
    end
  end
end
improvement: Add `Negate` validation (#636) * Add `Negate` validation --------- Co-authored-by: Zach Daniel <zachary.s.daniel@gmail.com> 2023-07-06 08:25:51 +12:00			`defmodule Ash.Test.Policy.FieldPolicyTest do`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`@doc false`
			`use ExUnit.Case`

			`require Ash.Query`

chore: fix credo/dialyzer 2023-06-23 06:19:40 +12:00			`alias Ash.Test.Support.PolicyField.{Api, Ticket, User}`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00
			`setup do`
improvement: honor field policies in sort expressions 2023-12-14 09:08:39 +13:00			`rep = Api.create!(Ash.Changeset.new(User, %{role: :representative, points: 4}))`
			`user = Api.create!(Ash.Changeset.new(User, %{role: :user, points: 3}))`
			`admin = Api.create!(Ash.Changeset.new(User, %{role: :admin, points: 2}))`
			`other_user = Api.create!(Ash.Changeset.new(User, %{role: :user, points: 1}))`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00
			`[`
			`user: user,`
improvement: add field_policy_bypass fix: fix and improve policy breakdown logs improvement: optimize field selection/loading when possible 2023-07-12 02:28:07 +12:00			`admin: admin,`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`representative: rep,`
			`ticket:`
			`Api.create!(Ash.Changeset.new(Ticket, %{representative_id: rep.id, reporter_id: user.id})),`
			`other_ticket:`
			`Api.create!(`
			`Ash.Changeset.new(Ticket, %{representative_id: rep.id, reporter_id: other_user.id})`
			`)`
			`]`
			`end`

			`describe "introspection" do`
			`test "introspection returns field policies" do`
improvement: add field_policy_bypass fix: fix and improve policy breakdown logs improvement: optimize field selection/loading when possible 2023-07-12 02:28:07 +12:00			`assert [`
			`%Ash.Policy.FieldPolicy{bypass?: true},`
			`%Ash.Policy.FieldPolicy{bypass?: false},`
feat: expose query or changeset to field policies (#701) 2023-09-26 04:13:36 +13:00			`%Ash.Policy.FieldPolicy{bypass?: false},`
improvement: honor field policies in sort expressions 2023-12-14 09:08:39 +13:00			`%Ash.Policy.FieldPolicy{bypass?: false},`
improvement: add field_policy_bypass fix: fix and improve policy breakdown logs improvement: optimize field selection/loading when possible 2023-07-12 02:28:07 +12:00			`%Ash.Policy.FieldPolicy{bypass?: false}`
			`] =`
test: add test for aggregate field policy (#644) 2023-07-11 01:00:55 +12:00			`Ash.Policy.Info.field_policies(User)`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`end`
			`end`

			`describe "rendering fields" do`
test: add test case for create action (#641) 2023-07-07 02:39:24 +12:00			`test "when creating as a user that cannot see the field, its value is not displayed", %{`
			`representative: rep,`
			`user: user`
			`} do`
			`assert %Ash.ForbiddenField{field: :internal_status, type: :attribute} ==`
			`Ticket`
fix: properly detect selected attributes for changeset field policies 2023-07-07 02:58:09 +12:00			`\|> Ash.Changeset.for_create(`
			`:create,`
			`%{representative_id: rep.id, reporter_id: user.id, internal_status: :new},`
			`authorize?: true,`
			`actor: user`
			`)`
test: add test case for create action (#641) 2023-07-07 02:39:24 +12:00			`\|> Api.create!(authorize?: true, actor: user)`
			`\|> Map.get(:internal_status)`
			`end`

improvement: base case iterative bulk destroy implemented 2023-12-21 15:08:40 +13:00			`test "when destroying as a user that cannot see the field, its value is not displayed", %{`
			`representative: rep,`
			`user: user`
			`} do`
			`assert %Ash.ForbiddenField{field: :internal_status, type: :attribute} ==`
			`Ticket`
			`\|> Ash.Changeset.for_create(`
			`:create,`
			`%{representative_id: rep.id, reporter_id: user.id, internal_status: :new},`
			`authorize?: true,`
			`actor: user`
			`)`
			`\|> Api.create!(authorize?: false)`
			`\|> Api.destroy!(authorize?: true, actor: user, return_destroyed?: true)`
			`\|> Map.get(:internal_status)`
			`end`

feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`test "when reading as a user that can see the field, its value is displayed", %{`
			`representative: representative`
			`} do`
			`assert :representative ==`
			`User`
			`\|> Ash.Query.for_read(:read, authorize?: true, actor: representative)`
			`\|> Ash.Query.filter(id == ^representative.id)`
			`\|> Api.read_one!(authorize?: true, actor: representative)`
			`\|> Map.get(:role)`
			`end`

improvement: add field_policy_bypass fix: fix and improve policy breakdown logs improvement: optimize field selection/loading when possible 2023-07-12 02:28:07 +12:00			`test "bypasses take priority over subsequent policies", %{`
			`representative: representative,`
			`admin: admin`
			`} do`
			`assert :representative ==`
			`User`
			`\|> Ash.Query.for_read(:read, authorize?: true, actor: admin)`
			`\|> Ash.Query.filter(id == ^representative.id)`
			`\|> Api.read_one!(authorize?: true, actor: admin)`
			`\|> Map.get(:role)`
			`end`

test: add test for aggregate field policy (#644) 2023-07-11 01:00:55 +12:00			`test "can load a resource with a forbidden aggregate", %{`
			`representative: representative`
			`} do`
			`assert %Ash.ForbiddenField{field: :ticket_count, type: :aggregate} ==`
			`User`
			`\|> Ash.Query.for_read(:read, authorize?: true, actor: representative)`
			`\|> Ash.Query.filter(id == ^representative.id)`
			`\|> Ash.Query.load([:ticket_count])`
			`\|> Api.read_one!(authorize?: true, actor: representative)`
			`\|> Map.get(:ticket_count)`
			`end`

feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`test "when reading as a user that cant see the field, its value is not displayed", %{`
			`representative: representative,`
			`user: user`
			`} do`
			`assert %Ash.ForbiddenField{field: :role, type: :attribute} ==`
			`User`
			`\|> Ash.Query.for_read(:read, authorize?: true, actor: representative)`
			`\|> Ash.Query.filter(id == ^representative.id)`
			`\|> Api.read_one!(authorize?: true, actor: user)`
			`\|> Map.get(:role)`
			`end`

			`test "when loading as a user that cant see the field, its value is not displayed", %{`
			`representative: representative,`
			`user: user`
			`} do`
			`assert %Ash.ForbiddenField{field: :role, type: :attribute} ==`
			`User`
			`\|> Ash.Query.select([])`
			`\|> Ash.Query.for_read(:read, authorize?: true, actor: representative)`
			`\|> Ash.Query.filter(id == ^representative.id)`
			`\|> Api.read_one!(authorize?: true, actor: user)`
			`\|> Api.load!(:role, authorize?: true)`
			`\|> Map.get(:role)`
			`end`

fix: fix field policy expressions fix: handle various inconsistencies in runtime expression runner 2023-06-23 08:26:03 +12:00			test "when reading as a user that cant see the field with a `relates_to_actor_via` check, the value is not displayed",
			`%{`
			`user: user,`
			`ticket: ticket,`
			`other_ticket: other_ticket`
			`} do`
			`assert nil ==`
			`Ticket`
			`\|> Ash.Query.select(:status)`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)`
			`\|> Ash.Query.filter(id == ^ticket.id)`
			`\|> Api.read_one!()`
			`\|> Map.get(:status)`

			`assert %Ash.ForbiddenField{} =`
			`Ticket`
			`\|> Ash.Query.select(:status)`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)`
			`\|> Ash.Query.filter(id == ^other_ticket.id)`
			`\|> Api.read_one!()`
			`\|> Map.get(:status)`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`end`
feat: expose query or changeset to field policies (#701) 2023-09-26 04:13:36 +13:00
			`test "reading is allowed through a relationship",`
			`%{representative: representative} do`
			`# someone who is allowed because it's accessed through the ticket`
			`assert [ticket] =`
			`Ticket`
			`\|> Ash.Query.select([])`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: representative)`
			`\|> Ash.Query.filter(reporter.ticket_count > 0)`
			`\|> Ash.Query.load(reporter: [:ticket_count])`
			`\|> Ash.Query.limit(1)`
			`\|> Api.read!(authorize?: true)`

			`assert is_number(ticket.reporter.ticket_count)`
			`assert ticket.reporter.ticket_count > 0`

			`# can't read the value when reading the resource directly`
			`assert [user] =`
			`User`
			`\|> Ash.Query.select([])`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: representative)`
			`\|> Ash.Query.load([:ticket_count])`
			`\|> Ash.Query.limit(1)`
			`\|> Api.read!(authorize?: true)`

			`assert user.ticket_count == %Ash.ForbiddenField{`
			`field: :ticket_count,`
			`type: :aggregate`
			`}`
			`end`

			`test "reading is allowed through a multi level relationship",`
			`%{user: user} do`
			`assert [ticket] =`
			`Ticket`
			`\|> Ash.Query.select([:internal_status])`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)`
			`\|> Ash.Query.filter(reporter_id == ^user.id)`
			`\|> Ash.Query.load(reporter: [:tickets])`
			`\|> Api.read!(authorize?: true)`

			`assert ticket.internal_status == %Ash.ForbiddenField{`
			`field: :internal_status,`
			`type: :attribute`
			`}`

			`nested_ticket = ticket.reporter.tickets \|> List.first()`

			`assert nested_ticket.internal_status == nil`
			`end`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`end`

			`describe "filters" do`
			`test "filters are replaced with the appropriate field policies", %{`
			`representative: representative,`
			`user: user`
			`} do`
			`assert [] =`
			`User`
			`\|> Ash.Query.select([])`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)`
			`\|> Ash.Query.filter_input(role: :representative)`
			`\|> Api.read!(authorize?: true)`

			`assert [_] =`
			`User`
			`\|> Ash.Query.select([])`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: representative)`
			`\|> Ash.Query.filter_input(role: :representative)`
			`\|> Api.read!(authorize?: true)`
			`end`
feat: expose query or changeset to field policies (#701) 2023-09-26 04:13:36 +13:00
improvement: honor field policies in sort expressions 2023-12-14 09:08:39 +13:00			`test "it's possible to filter on values that are only allowed to be accessed from a parent",`
			`%{`
			`representative: representative,`
			`user: user`
			`} do`
feat: expose query or changeset to field policies (#701) 2023-09-26 04:13:36 +13:00			`# someone who is allowed because it's accessed through the ticket`
			`assert [ticket] =`
			`Ticket`
			`\|> Ash.Query.select([])`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: representative)`
			`\|> Ash.Query.filter(reporter.ticket_count > 0)`
			`\|> Ash.Query.load(reporter: [:ticket_count])`
			`\|> Ash.Query.limit(1)`
			`\|> Api.read!(authorize?: true)`

			`assert is_number(ticket.reporter.ticket_count)`
			`assert ticket.reporter.ticket_count > 0`

			`# someone who isn't allowed to see the field`
			`assert [ticket] =`
			`Ticket`
			`\|> Ash.Query.select([])`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)`
			`\|> Ash.Query.filter(reporter.ticket_count > 0)`
			`\|> Ash.Query.load(reporter: [:ticket_count])`
			`\|> Ash.Query.limit(1)`
			`\|> Api.read!(authorize?: true)`

			`assert ticket.reporter.ticket_count == %Ash.ForbiddenField{`
			`field: :ticket_count,`
			`type: :aggregate`
			`}`
			`end`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`end`
improvement: honor field policies in sort expressions 2023-12-14 09:08:39 +13:00
			`describe "sorts" do`
			`test "sorts are replaced with the appropriate field policies", %{`
			`user: %{id: user_id} = user`
			`} do`
			`assert [%{id: ^user_id} \| _] =`
			`User`
			`\|> Ash.Query.select([:points])`
			`\|> Ash.Query.sort_input(points: :asc_nils_last)`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)`
			`\|> Api.read!()`

			`assert [_, _, _, %{id: ^user_id}] =`
			`User`
			`\|> Ash.Query.select([:points])`
			`\|> Ash.Query.sort_input(points: :asc_nils_first)`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)`
			`\|> Api.read!()`

			`assert [_, _, %{id: ^user_id}, _] =`
			`User`
			`\|> Ash.Query.select([:points])`
			`\|> Ash.Query.sort(points: :asc_nils_first)`
			`\|> Ash.Query.for_read(:read, %{}, authorize?: true, actor: user)`
			`\|> Api.read!()`
			`end`
			`end`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`end`