honor ash policies for authorizating belongs_to relation

[bars0udin]

Out of the box, ash policy is not honored when loading a relating resource. This is an initial attempt to address this. I would like to also update the demo to demonstrate what this update will address.

Add Ash Authorization Support to BelongsTo Fields

Problem

BelongsTo dropdowns showed ALL related records, ignoring Ash authorization policies.
This caused information disclosure - users could see records they shouldn't access.

Solution

Created custom AshBackpex.Fields.BelongsTo that:

• Queries via Ash.read(actor: actor) to respect policies
• Filters dropdown options to authorized records only
• Maintains backward compatibility with non-Ash resources
• Includes logging for debugging authorization flow

Changes

• New: lib/ash_backpex/fields/belongs_to.ex - Ash-aware BelongsTo field
• Modified: lib/ash_backpex/live_resource/transformers/generate_backpex.ex:178 - Use new field
• Modified: lib/ash_backpex/live_resource/dsl.ex:135-147 - Updated docs

Impact

Dropdowns now automatically respect Ash policies without additional configuration.

Demo Update Example

   # Add a workspace/tenant column to posts
  defmodule Demo.Blog.Post do
    use Ash.Resource,
      data_layer: AshPostgres.DataLayer

    attributes do
      # ... existing attributes
      attribute :workspace_id, :uuid
    end

    relationships do
      belongs_to :workspace, Demo.Accounts.Workspace
      belongs_to :author, Demo.Accounts.User
    end

    policies do
      policy action_type(:read) do
        # Users can only see posts from their workspace
        authorize_if relates_to_actor_via([:workspace, :users])
      end
    end
  end

File: demo/lib/demo/accounts/resources/workspace.ex

  defmodule Demo.Accounts.Workspace do
    use Ash.Resource, data_layer: AshPostgres.DataLayer

    relationships do
      has_many :users, Demo.Accounts.User
      has_many :posts, Demo.Blog.Post
    end

    policies do
      policy action_type(:read) do
        # Users can only see workspaces they belong to
        authorize_if relates_to_actor_via(:users)
      end
    end
  end

Demo Scenario:

1. Create 3 workspaces: "ACME", "TechCorp", "StartupXYZ"
2. Create users: alice@acme.com (ACME), bob@techcorp.com (TechCorp)
3. When Alice creates a Post, workspace dropdown shows only "ACME" ✓
4. When Bob creates a Post, workspace dropdown shows only "TechCorp" ✓
5. Before this fix: Both users would see all 3 workspaces ✗

[enoonan]

Thanks so much! This looks really great. I've been aware of this problem, and it's one of the reasons the README still warns people to only use AshBackpex for internal admin tooling in trusted environments.

I've been sick for a couple weeks and I'm on a heavy dose of antibiotics at the moment. But I'll be sure to review / merge / tag / release this ASAP when I'm back to my normal self.

~E

[bars0udin]

Sorry to hear you're not feeling well, hope you feel better soon!

[enoonan]

Hello - I'm going to have to take a close look at this. CI tests are failing and it looks like it breaks the field type derivation code.

[bars0udin]

The failure is basically that the test for BelongsTo now needs to match the AshBackpex.Fields.BelongsTo type that enforces policy check instead of the default Backpex.Fields.BelongsTo ...