From c442d83534f84f91b603df6fd921729a86739e03 Mon Sep 17 00:00:00 2001
From: Barnabas Jovanovics <barnabas.jovanovics@gmail.com>
Date: Mon, 10 Jul 2023 15:00:55 +0200
Subject: [PATCH] test: add test for aggregate field policy (#644)

---
 lib/ash/actions/helpers.ex                  |  4 ++--
 test/policy/field_policy_test.exs           | 15 ++++++++++++++-
 test/support/policy_field/resources/user.ex | 15 +++++++++++++++
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/lib/ash/actions/helpers.ex b/lib/ash/actions/helpers.ex
index 189b4580..0caace4e 100644
--- a/lib/ash/actions/helpers.ex
+++ b/lib/ash/actions/helpers.ex
@@ -531,7 +531,7 @@ defmodule Ash.Actions.Helpers do
   end
 
   defp replace_dynamic_loads(record, field, type, %Ash.Changeset{} = changeset)
-       when type in [:attribute, :calculation] do
+       when type in [:attribute, :calculation, :aggregate] do
     query =
       changeset.resource
       |> Ash.Query.new()
@@ -541,7 +541,7 @@ defmodule Ash.Actions.Helpers do
   end
 
   defp replace_dynamic_loads(record, field, type, query)
-       when type in [:attribute, :calculation] do
+       when type in [:attribute, :calculation, :aggregate] do
     query.calculations
     |> Enum.reduce(
       record,
diff --git a/test/policy/field_policy_test.exs b/test/policy/field_policy_test.exs
index 2ded5962..04c8bba3 100644
--- a/test/policy/field_policy_test.exs
+++ b/test/policy/field_policy_test.exs
@@ -25,7 +25,8 @@ defmodule Ash.Test.Policy.FieldPolicyTest do
 
   describe "introspection" do
     test "introspection returns field policies" do
-      assert [%Ash.Policy.FieldPolicy{}] = Ash.Policy.Info.field_policies(User)
+      assert [%Ash.Policy.FieldPolicy{}, %Ash.Policy.FieldPolicy{}] =
+               Ash.Policy.Info.field_policies(User)
     end
   end
 
@@ -57,6 +58,18 @@ defmodule Ash.Test.Policy.FieldPolicyTest do
                |> Map.get(:role)
     end
 
+    test "can load a resource with a forbidden aggregate", %{
+      representative: representative
+    } do
+      assert %Ash.ForbiddenField{field: :ticket_count, type: :aggregate} ==
+               User
+               |> Ash.Query.for_read(:read, authorize?: true, actor: representative)
+               |> Ash.Query.filter(id == ^representative.id)
+               |> Ash.Query.load([:ticket_count])
+               |> Api.read_one!(authorize?: true, actor: representative)
+               |> Map.get(:ticket_count)
+    end
+
     test "when reading as a user that cant see the field, its value is not displayed", %{
       representative: representative,
       user: user
diff --git a/test/support/policy_field/resources/user.ex b/test/support/policy_field/resources/user.ex
index b75fd82e..cd184623 100644
--- a/test/support/policy_field/resources/user.ex
+++ b/test/support/policy_field/resources/user.ex
@@ -20,6 +20,17 @@ defmodule Ash.Test.Support.PolicyField.User do
     end
   end
 
+  relationships do
+    has_many :tickets, Ash.Test.Support.PolicyField.Ticket do
+      source_attribute :id
+      destination_attribute :reporter_id
+    end
+  end
+
+  aggregates do
+    count :ticket_count, :tickets
+  end
+
   policies do
     policy always() do
       authorize_if always()
@@ -30,5 +41,9 @@ defmodule Ash.Test.Support.PolicyField.User do
     field_policy :role do
       authorize_if actor_attribute_equals(:role, :representative)
     end
+
+    field_policy :ticket_count do
+      authorize_if actor_attribute_equals(:role, :reporter)
+    end
   end
 end