fix: issues with multitenancy bypass in related queries (#205)

Author: danielatdpg

lib/join.ex

@@ -407,9 +407,7 @@ defmodule AshSql.Join do
     filter_subquery? = Keyword.get(opts, :filter_subquery?, false)
     parent_resources = Keyword.get(opts, :parent_stack, [relationship.source])
 
-    read_action =
-      relationship.read_action ||
-        Ash.Resource.Info.primary_action!(relationship.destination, :read).name
+    read_action = get_read_action(relationship)
 
     context = Map.delete(query.__ash_bindings__.context, :data_layer)
 
@@ -436,17 +434,17 @@ defmodule AshSql.Join do
     end)
     |> Ash.Query.do_filter(opts[:apply_filter], parent_stack: parent_resources)
     |> then(fn query ->
-      if query.__validated_for_action__ == read_action do
+      if query.__validated_for_action__ == read_action.name do
         query
       else
-        Ash.Query.for_read(query, read_action, %{},
+        Ash.Query.for_read(query, read_action.name, %{},
           actor: context[:private][:actor],
           tenant: context[:private][:tenant]
         )
       end
     end)
     |> Ash.Query.unset([:distinct, :select, :limit, :offset])
-    |> handle_attribute_multitenancy(tenant)
+    |> handle_attribute_multitenancy(tenant, read_action)
     |> hydrate_refs(context[:private][:actor])
     |> then(fn query ->
       if sort? do
@@ -507,8 +505,9 @@ defmodule AshSql.Join do
   end
 
   @doc false
-  def handle_attribute_multitenancy(query, tenant) do
-    if tenant && Ash.Resource.Info.multitenancy_strategy(query.resource) == :attribute do
+  def handle_attribute_multitenancy(query, tenant, read_action \\ nil) do
+    if tenant && Ash.Resource.Info.multitenancy_strategy(query.resource) == :attribute &&
+         (is_nil(read_action) || read_action.multitenancy not in [:bypass, :bypass_all]) do
       multitenancy_attribute = Ash.Resource.Info.multitenancy_attribute(query.resource)
 
       if multitenancy_attribute do
@@ -1367,4 +1366,12 @@ defmodule AshSql.Join do
     {dynamic, acc} = AshSql.Expr.dynamic_expr(root_query, filter, bindings, true)
     {from(row in query, where: ^dynamic), acc}
   end
+
+  defp get_read_action(%{read_action: nil} = rel) do
+    Ash.Resource.Info.primary_action!(rel.destination, :read)
+  end
+
+  defp get_read_action(rel) do
+    Ash.Resource.Info.action(rel.destination, rel.read_action)
+  end
 end

lib/query.ex

@@ -644,6 +644,10 @@ defmodule AshSql.Query do
         [first_rel_name | _] ->
           relationship = Ash.Resource.Info.relationship(resource, first_rel_name)
 
+          if is_nil(relationship) do
+            raise "No such relationship #{inspect(resource)}.#{relationship}. aggregates: #{inspect(aggregates)}"
+          end
+
           rel_fields =
             if relationship && !Map.get(relationship, :no_attributes?) &&
                  Map.get(relationship, :source_attribute) do
@@ -652,7 +656,7 @@ defmodule AshSql.Query do
               []
             end
 
-          if relationship && relationship.filter do
+          if relationship.filter do
             extract_parent_attrs_from_filter(relationship.filter, query)
           else
             []