2026-01-27 16:07:48 +01:00
1 changed files with 10 additions and 3 deletions
--- a/lib/mv/authorization/checks/custom_field_value_create_scope.ex
+++ b/lib/mv/authorization/checks/custom_field_value_create_scope.ex
@ -8,6 +8,14 @@ defmodule Mv.Authorization.Checks.CustomFieldValueCreateScope do
  (PermissionSets + :linked/:all) but only implements strict_check, so it
  never adds a filter.

+  ## member_id source
+
+  The check reads `member_id` from the create changeset via
+  `Ash.Changeset.get_argument_or_attribute/2`, so it works when member_id
+  is set as an attribute or as an action argument. The CustomFieldValue
+  resource's default create action must accept and require `member_id`
+  (e.g. via `default_accept [:value, :member_id, :custom_field_id]`).
+
  Used in CustomFieldValue policies:
    policy action_type(:create) do
      authorize_if Mv.Authorization.Checks.CustomFieldValueCreateScope
@ -15,7 +23,6 @@ defmodule Mv.Authorization.Checks.CustomFieldValueCreateScope do
  """
  use Ash.Policy.Check
  alias Mv.Authorization.PermissionSets
-  require Logger

  @impl true
  def describe(_opts),
@ -53,8 +60,8 @@ defmodule Mv.Authorization.Checks.CustomFieldValueCreateScope do
  defp get_create_member_id(authorizer) do
    changeset = authorizer.changeset || authorizer.subject

-    if changeset && function_exported?(Ash.Changeset, :get_attribute, 2) do
-      Ash.Changeset.get_attribute(changeset, :member_id)
+    if changeset && function_exported?(Ash.Changeset, :get_argument_or_attribute, 2) do
+      Ash.Changeset.get_argument_or_attribute(changeset, :member_id)
    else
      nil
    end