fix!: don't encrypt attributes not in action accept list

zachdaniel · zachdaniel · commit 465e3e58a81a · 2026-01-19T22:36:43.000-05:00
fixes #133
diff --git a/lib/ash_cloak/transformers/set_up_encryption.ex b/lib/ash_cloak/transformers/set_up_encryption.ex
@@ -88,7 +88,7 @@ defmodule AshCloak.Transformers.SetupEncryption do
   defp rewrite_actions({:ok, dsl}, attr) do
     dsl
     |> Ash.Resource.Info.actions()
-    |> Enum.filter(&(&1.type in [:create, :update, :destroy]))
+    |> Enum.filter(&(&1.type in [:create, :update, :destroy] && attr.name in &1.accept))
     |> Enum.reduce_while({:ok, dsl}, fn action, {:ok, dsl} ->
       new_accept = action.accept -- [attr.name]
 
diff --git a/test/ash_cloak_test.exs b/test/ash_cloak_test.exs
@@ -162,13 +162,12 @@ defmodule AshCloakTest do
     assert decode(encrypted.encrypted_encrypted) == 14
   end
 
-  test "it encrypts even when the attribute is not in the accept list" do
-    encrypted =
+  test "it does not encrypt when the attribute is not in the accept list" do
+    assert_raise Ash.Error.Invalid, ~r/attribute encrypted_encrypted_with_default is required/, fn ->
       AshCloak.Test.Resource
       |> Ash.Changeset.for_create(:change_without_accept)
       |> Ash.create!()
-
-    assert decode(encrypted.encrypted_encrypted) == 13
+    end
   end
 
   test "it encrypts with default value" do
