defmodule Ash.Error.Forbidden.CannotFilterCreates do
@moduledoc "Used when a create action would be filtered"
use Ash.Error.Exception
def_ash_error([], class: :forbidden)
defimpl Ash.ErrorKind do
def id(_), do: Ash.UUID.generate()
def code(_), do: "cannot_filter_creates"
def message(_) do
"""
Filter checks cannot be used with create actions.
If you are using Ash.Policy.Authorizer:
To solve for this, use other checks, or write a custom check.
Many expressions, like those that reference relationships, require using custom checks for create actions.
Expressions that only reference the actor or context, for example `expr(^actor(:is_admin) == true)` will work fine.
Given a policy like:
```elixir
policy expr(special == true) do
authorize_if expr(allows_special == true)
end
```
You would rewrite it to not include create actions like so:
```elixir
policy [expr(special == true), action_type([:read, :update, :destroy])] do
authorize_if expr(allows_special == true)
end
```
At which point you could add a `create` specific policy:
```elixir
policy [changing_attributes(special: [to: true]), action_type(:create)] do
authorize_if changing_attributes(special: [to: true])
end
```
In these cases, you may also end up wanting to write a custom check.
"""
end
end
end