fix: evaluate templates to unknown at ref

2024-09-20 13:33:20 +12:00 · 2024-02-14 14:33:45 -05:00 · 2024-02-14 14:33:45 -05:00 · 1171e9fb03
commit 1171e9fb03
parent f23f0a29fe
4 changed files with 21 additions and 9 deletions
--- a/lib/ash/error/forbidden/policy.ex
+++ b/lib/ash/error/forbidden/policy.ex
@ -109,6 +109,8 @@ defmodule Ash.Error.Forbidden.Policy do
    must_pass_strict_check? =
      if opts[:must_pass_strict_check?] do
        """
+        Breakdown
+
        Scenario must pass strict check only, meaning `runtime` policies cannot be checked.

        This requirement is generally used for filtering on related resources, when we can't fetch those
--- a/lib/ash/filter/runtime.ex
+++ b/lib/ash/filter/runtime.ex
@ -413,6 +413,15 @@ defmodule Ash.Filter.Runtime do
    end
  end

+  defp resolve_expr({:_actor, _}, _, _, _, _), do: :unknown
+  defp resolve_expr({:_arg, _}, _, _, _, _), do: :unknown
+  defp resolve_expr({:_ref, _}, _, _, _, _), do: :unknown
+  defp resolve_expr({:_ref, _, _}, _, _, _, _), do: :unknown
+  defp resolve_expr({:_parent, _}, _, _, _, _), do: :unknown
+  defp resolve_expr({:_parent, _, _}, _, _, _, _), do: :unknown
+  defp resolve_expr({:_atomic_ref, _}, _, _, _, _), do: :unknown
+  defp resolve_expr({:_context, _}, _, _, _, _), do: :unknown
+
  defp resolve_expr(
         %Ash.Filter{expression: expression},
         record,
@ -720,15 +729,6 @@ defmodule Ash.Filter.Runtime do
    end)
  end

-  defp resolve_expr({:_actor, _}, _, _, _, _), do: :unknown
-  defp resolve_expr({:_arg, _}, _, _, _, _), do: :unknown
-  defp resolve_expr({:_ref, _}, _, _, _, _), do: :unknown
-  defp resolve_expr({:_ref, _, _}, _, _, _, _), do: :unknown
-  defp resolve_expr({:_parent, _}, _, _, _, _), do: :unknown
-  defp resolve_expr({:_parent, _, _}, _, _, _, _), do: :unknown
-  defp resolve_expr({:_atomic_ref, _}, _, _, _, _), do: :unknown
-  defp resolve_expr({:_context, _}, _, _, _, _), do: :unknown
-
  defp resolve_expr(other, _, _, _, _), do: {:ok, other}

  defp try_cast_arguments(:var_args, args) do
--- a/lib/ash/filter/template_helpers.ex
+++ b/lib/ash/filter/template_helpers.ex
@ -2,6 +2,7 @@ defmodule Ash.Filter.TemplateHelpers do
  @moduledoc "Helpers for building filter templates"

  @deprecated "Use `expr?/1` instead, which is not a guard"
+
  defguard is_expr(value)
           when is_struct(value, Ash.Query.Not) or is_struct(value, Ash.Query.BooleanExpression) or
                  is_struct(value, Ash.Query.Call) or is_struct(value, Ash.Query.Ref) or
@ -9,6 +10,14 @@ defmodule Ash.Filter.TemplateHelpers do
                  is_struct(value, Ash.Query.Parent) or
                  (is_struct(value) and is_map_key(value, :__predicate__?))

+  def expr?({:_actor, _}), do: true
+  def expr?({:_arg, _}), do: true
+  def expr?({:_ref, _, _}), do: true
+  def expr?({:_parent, _, _}), do: true
+  def expr?({:_parent, _}), do: true
+  def expr?({:_atomic_ref, _}), do: true
+  def expr?({:_context, _}), do: true
+
  def expr?(value)
      when is_struct(value, Ash.Query.Not) or is_struct(value, Ash.Query.BooleanExpression) or
             is_struct(value, Ash.Query.Call) or is_struct(value, Ash.Query.Ref) or
--- a/lib/ash/policy/filter_check_with_context.ex
+++ b/lib/ash/policy/filter_check_with_context.ex
@ -89,6 +89,7 @@ defmodule Ash.Policy.FilterCheckWithContext do
           }) do
        case Ash.Filter.hydrate_refs(expression, %{
               resource: resource,
+               unknown_on_unknown_refs?: true,
               aggregates: %{},
               calculations: %{},
               public?: false