ash-project
diff --git a/‎documentation/dsls/DSL-AshJsonApi.Resource.md‎
Lines changed: 2 additions & 2 deletions b/‎documentation/dsls/DSL-AshJsonApi.Resource.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎lib/ash_json_api/domain/persisters/define_router.ex‎
Lines changed: 10 additions & 1 deletion b/‎lib/ash_json_api/domain/persisters/define_router.ex‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎lib/ash_json_api/includes/parser.ex‎
Lines changed: 39 additions & 0 deletions b/‎lib/ash_json_api/includes/parser.ex‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎lib/ash_json_api/request.ex‎
Lines changed: 86 additions & 59 deletions b/‎lib/ash_json_api/request.ex‎
Lines changed: 86 additions & 59 deletions
diff --git a/‎lib/ash_json_api/resource/info.ex‎
Lines changed: 11 additions & 4 deletions b/‎lib/ash_json_api/resource/info.ex‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎lib/ash_json_api/resource/persisters/define_router.ex‎
Lines changed: 10 additions & 1 deletion b/‎lib/ash_json_api/resource/persisters/define_router.ex‎
Lines changed: 10 additions & 1 deletion
@@ -67,8 +67,8 @@ end
 | [`paginated_includes`](#json_api-paginated_includes){: #json_api-paginated_includes } | `list(atom \| list(atom))` | `[]` | A list of relationship paths that can be paginated when included via the `included_page` query parameter. Each entry can be either an atom (for top-level relationships) or a list of atoms (for nested paths). |
 | [`include_nil_values?`](#json_api-include_nil_values?){: #json_api-include_nil_values? } | `any` |  | Whether or not to include properties for values that are nil in the JSON output |
 | [`default_fields`](#json_api-default_fields){: #json_api-default_fields } | `list(atom)` |  | The fields to include in the object if the `fields` query parameter does not specify. Defaults to all public |
-| [`hide_fields`](#json_api-hide_fields){: #json_api-hide_fields } | `list(atom)` | `[]` | A list of fields to hide from the generated OpenAPI specification. Applies to attributes, relationships, calculations, and aggregates. |
-| [`show_fields`](#json_api-show_fields){: #json_api-show_fields } | `list(atom)` |  | A list of fields to show in the generated OpenAPI specification. If not specified, all public fields are shown except those in `hide_fields`. |
+| [`hide_fields`](#json_api-hide_fields){: #json_api-hide_fields } | `list(atom)` | `[]` | A list of fields to hide from generated API specifications and JSON:API responses. Applies to attributes, relationships, calculations, and aggregates. |
+| [`show_fields`](#json_api-show_fields){: #json_api-show_fields } | `list(atom)` |  | A list of fields to show in generated API specifications and JSON:API responses. If not specified, all public fields are shown except those in `hide_fields`. |
 | [`derive_sort?`](#json_api-derive_sort?){: #json_api-derive_sort? } | `boolean` | `true` | Whether or not to derive a sort parameter based on the sortable fields of the resource |
 | [`derive_filter?`](#json_api-derive_filter?){: #json_api-derive_filter? } | `boolean` | `true` | Whether or not to derive a filter parameter based on the sortable fields of the resource |
 | [`relationship_meta_in`](#json_api-relationship_meta_in){: #json_api-relationship_meta_in } | `keyword` | `[]` | Configures how incoming JSON:API `meta` keys on relationship resource identifiers map to join resource attributes for many_to_many relationship writes. Use together with `relationship_meta_out` for reads. Each relationship you want to support must declare both mappings explicitly. |
 
@@ -9,7 +9,10 @@ defmodule AshJsonApi.Domain.Persisters.DefineRouter do
   alias Spark.Dsl.Transformer
 
   def transform(dsl) do
-    routes = AshJsonApi.Domain.Info.routes(dsl)
+    routes =
+      dsl
+      |> AshJsonApi.Domain.Info.routes()
+      |> Enum.filter(&route_visible?/1)
 
     route_matchers =
       routes
@@ -45,6 +48,12 @@ defmodule AshJsonApi.Domain.Persisters.DefineRouter do
      )}
   end
 
+  defp route_visible?(%{relationship: nil}), do: true
+
+  defp route_visible?(%{resource: resource, relationship: relationship}) do
+    AshJsonApi.Resource.Info.show_field?(resource, relationship)
+  end
+
   # sobelow_skip ["DOS.StringToAtom"]
   def route_match(route) do
     split_route = String.split(route.route, "/", trim: true)
 
@@ -30,9 +30,48 @@ defmodule AshJsonApi.Includes.Parser do
   defp allowed_preloads(resource) do
     resource
     |> AshJsonApi.Resource.Info.includes()
+    |> filter_hidden_includes(resource)
     |> to_nested_map()
   end
 
+  defp filter_hidden_includes(includes, resource) when is_list(includes) do
+    includes
+    |> Enum.flat_map(fn include ->
+      case filter_hidden_include(include, resource) do
+        nil -> []
+        include -> [include]
+      end
+    end)
+  end
+
+  defp filter_hidden_include({include, further}, resource) do
+    case public_relationship(resource, include) do
+      %{destination: destination} ->
+        {include, filter_hidden_includes(List.wrap(further), destination)}
+
+      nil ->
+        nil
+    end
+  end
+
+  defp filter_hidden_include(include, resource) do
+    if public_relationship(resource, include) do
+      include
+    end
+  end
+
+  defp public_relationship(resource, relationship_name) do
+    case Ash.Resource.Info.public_relationship(resource, relationship_name) do
+      %{name: name} = relationship ->
+        if AshJsonApi.Resource.Info.show_field?(resource, name) do
+          relationship
+        end
+
+      nil ->
+        nil
+    end
+  end
+
   defp to_nested_map(list) when is_list(list) do
     list
     |> Enum.map(fn
 
@@ -687,22 +687,28 @@ defmodule AshJsonApi.Request do
 
   defp parse_field_inputs(request), do: request
 
-  if function_exported?(Ash.Resource.Info, :public_related, 2) do
-    defp public_related(resource, relationship) do
-      Ash.Resource.Info.public_related(resource, relationship)
-    end
-  else
-    defp public_related(resource, relationship) when not is_list(relationship) do
-      public_related(resource, [relationship])
+  defp public_related(resource, relationship) when not is_list(relationship) do
+    public_related(resource, [relationship])
+  end
+
+  defp public_related(resource, []), do: resource
+
+  defp public_related(resource, [path | rest]) do
+    case public_relationship(resource, path) do
+      %{destination: destination} -> public_related(destination, rest)
+      nil -> nil
     end
+  end
 
-    defp public_related(resource, []), do: resource
+  defp public_relationship(resource, relationship_name) do
+    case Ash.Resource.Info.public_relationship(resource, relationship_name) do
+      %{name: name} = relationship ->
+        if AshJsonApi.Resource.Info.show_field?(resource, name) do
+          relationship
+        end
 
-    defp public_related(resource, [path | rest]) do
-      case Ash.Resource.Info.public_relationship(resource, path) do
-        %{destination: destination} -> public_related(destination, rest)
-        nil -> nil
-      end
+      nil ->
+        nil
     end
   end
 
@@ -730,48 +736,56 @@ defmodule AshJsonApi.Request do
           )
 
         calculation ->
-          Enum.reduce(arguments, request, fn {arg_name, arg_value}, request ->
-            calc_arg_names = AshJsonApi.Resource.Info.calculation_argument_names(resource)
-
-            calculation_arg =
-              Enum.find(calculation.arguments, fn argument ->
-                AshJsonApi.Resource.Info.apply_argument_name_mapping(
-                  calc_arg_names,
-                  calculation.name,
-                  argument.name
-                ) == arg_name
-              end)
+          if AshJsonApi.Resource.Info.show_field?(resource, calculation.name) do
+            Enum.reduce(arguments, request, fn {arg_name, arg_value}, request ->
+              calc_arg_names = AshJsonApi.Resource.Info.calculation_argument_names(resource)
+
+              calculation_arg =
+                Enum.find(calculation.arguments, fn argument ->
+                  AshJsonApi.Resource.Info.apply_argument_name_mapping(
+                    calc_arg_names,
+                    calculation.name,
+                    argument.name
+                  ) == arg_name
+                end)
 
-            case calculation_arg do
-              nil ->
-                add_error(
-                  request,
-                  InvalidField.exception(type: type, parameter?: true, field: arg_name),
-                  request.route.type
-                )
+              case calculation_arg do
+                nil ->
+                  add_error(
+                    request,
+                    InvalidField.exception(type: type, parameter?: true, field: arg_name),
+                    request.route.type
+                  )
 
-              _ ->
-                cur_resource_field_inputs = Map.get(request.field_inputs, resource, %{})
+                _ ->
+                  cur_resource_field_inputs = Map.get(request.field_inputs, resource, %{})
 
-                cur_calculation_field_inputs =
-                  Map.get(cur_resource_field_inputs, calculation.name, %{})
+                  cur_calculation_field_inputs =
+                    Map.get(cur_resource_field_inputs, calculation.name, %{})
 
-                updated_calculation_field_inputs =
-                  Map.put(cur_calculation_field_inputs, calculation_arg.name, arg_value)
+                  updated_calculation_field_inputs =
+                    Map.put(cur_calculation_field_inputs, calculation_arg.name, arg_value)
 
-                updated_resource_field_inputs =
-                  Map.put(
-                    cur_resource_field_inputs,
-                    calculation.name,
-                    updated_calculation_field_inputs
-                  )
+                  updated_resource_field_inputs =
+                    Map.put(
+                      cur_resource_field_inputs,
+                      calculation.name,
+                      updated_calculation_field_inputs
+                    )
 
-                updated_field_inputs =
-                  Map.put(request.field_inputs, resource, updated_resource_field_inputs)
+                  updated_field_inputs =
+                    Map.put(request.field_inputs, resource, updated_resource_field_inputs)
 
-                %{request | field_inputs: updated_field_inputs}
-            end
-          end)
+                  %{request | field_inputs: updated_field_inputs}
+              end
+            end)
+          else
+            add_error(
+              request,
+              InvalidField.exception(type: type, parameter?: true, field: calculation_name),
+              request.route.type
+            )
+          end
       end
     end)
   end
@@ -788,20 +802,22 @@ defmodule AshJsonApi.Request do
             resource
             |> Ash.Resource.Info.public_attributes()
             |> Enum.find(fn a ->
-              AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, a.name) == key
+              AshJsonApi.Resource.Info.show_field?(resource, a.name) &&
+                  AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, a.name) == key
             end) ->
           fields = Map.update(request.fields, resource, [attr.name], &[attr.name | &1])
           %{request | fields: fields}
 
-        rel = Ash.Resource.Info.public_relationship(resource, key) ->
+        rel = public_relationship(resource, key) ->
           fields = Map.update(request.fields, resource, [rel.name], &[rel.name | &1])
           %{request | fields: fields}
 
         agg =
             resource
             |> Ash.Resource.Info.public_aggregates()
             |> Enum.find(fn a ->
-              AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, a.name) == key
+              AshJsonApi.Resource.Info.show_field?(resource, a.name) &&
+                  AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, a.name) == key
             end) ->
           fields = Map.update(request.fields, resource, [agg.name], &[agg.name | &1])
           %{request | fields: fields}
@@ -810,7 +826,8 @@ defmodule AshJsonApi.Request do
             resource
             |> Ash.Resource.Info.public_calculations()
             |> Enum.find(fn c ->
-              AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, c.name) == key
+              AshJsonApi.Resource.Info.show_field?(resource, c.name) &&
+                  AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, c.name) == key
             end) ->
           fields = Map.update(request.fields, resource, [calc.name], &[calc.name | &1])
           %{request | fields: fields}
@@ -873,26 +890,29 @@ defmodule AshJsonApi.Request do
                   resource
                   |> Ash.Resource.Info.public_attributes()
                   |> Enum.find(fn a ->
-                    AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, a.name) ==
-                        field_name
+                    AshJsonApi.Resource.Info.show_field?(resource, a.name) &&
+                        AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, a.name) ==
+                          field_name
                   end) ->
                 %{request | sort: [{attr.name, order} | request.sort]}
 
               agg =
                   resource
                   |> Ash.Resource.Info.public_aggregates()
                   |> Enum.find(fn a ->
-                    AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, a.name) ==
-                        field_name
+                    AshJsonApi.Resource.Info.show_field?(resource, a.name) &&
+                        AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, a.name) ==
+                          field_name
                   end) ->
                 %{request | sort: [{agg.name, order} | request.sort]}
 
               calc =
                   resource
                   |> Ash.Resource.Info.public_calculations()
                   |> Enum.find(fn c ->
-                    AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, c.name) ==
-                        field_name
+                    AshJsonApi.Resource.Info.show_field?(resource, c.name) &&
+                        AshJsonApi.Resource.Info.apply_field_name_mapping(attr_names, c.name) ==
+                          field_name
                   end) ->
                 %{request | sort: [{calc.name, order} | request.sort]}
 
@@ -981,7 +1001,9 @@ defmodule AshJsonApi.Request do
        ) do
     includes =
       Enum.reduce(
-        AshJsonApi.Resource.Info.always_include_linkage(resource),
+        resource
+        |> AshJsonApi.Resource.Info.always_include_linkage()
+        |> filter_shown_fields(resource),
         includes,
         fn key, includes ->
           if Keyword.has_key?(includes, key) do
@@ -1018,6 +1040,7 @@ defmodule AshJsonApi.Request do
             |> Ash.Resource.Info.public_attributes()
             |> Enum.map(& &1.name)
         )
+        |> filter_shown_fields(related)
         |> Enum.map(fn field ->
           case Map.get(related_field_inputs, field) do
             nil -> field
@@ -1418,6 +1441,10 @@ defmodule AshJsonApi.Request do
     {:error, InvalidRelationshipInput.exception(relationship: name, input: value)}
   end
 
+  defp filter_shown_fields(fields, resource) do
+    Enum.filter(fields, &AshJsonApi.Resource.Info.show_field?(resource, &1))
+  end
+
   defp url(conn) do
     Conn.request_url(conn)
   end
 
@@ -70,17 +70,21 @@ defmodule AshJsonApi.Resource.Info do
     Extension.get_opt(resource, [:json_api], :default_fields, nil, true)
   end
 
-  @doc "Fields to hide from the generated API specification"
+  @doc "Fields to hide from generated API specifications and JSON:API responses"
   def hide_fields(resource) do
     Extension.get_opt(resource, [:json_api], :hide_fields, [], true)
   end
 
-  @doc "Fields to show in the generated API specification"
+  @doc "Fields to show in generated API specifications and JSON:API responses"
   def show_fields(resource) do
     Extension.get_opt(resource, [:json_api], :show_fields, nil, true)
   end
 
-  @doc "Whether or not a given field should be shown in the generated API specification"
+  @doc "Whether or not a given field should be exposed in JSON:API"
+  def show_field?(resource, %{name: name}) do
+    show_field?(resource, name)
+  end
+
   def show_field?(resource, field) do
     hide_fields = hide_fields(resource)
     show_fields = show_fields(resource) || [field]
@@ -189,7 +193,10 @@ defmodule AshJsonApi.Resource.Info do
         Ash.Resource.Info.public_aggregates(resource)
 
     Enum.find_value(all_fields, fn field ->
-      if apply_field_name_mapping(names, field.name) == json_key, do: field.name
+      if show_field?(resource, field.name) &&
+           apply_field_name_mapping(names, field.name) == json_key do
+        field.name
+      end
     end)
   end
 
 
@@ -9,7 +9,10 @@ defmodule AshJsonApi.Resource.Persisters.DefineRouter do
   alias Spark.Dsl.Transformer
 
   def transform(dsl) do
-    routes = AshJsonApi.Resource.Info.routes(dsl)
+    routes =
+      dsl
+      |> AshJsonApi.Resource.Info.routes()
+      |> Enum.filter(&route_visible?(dsl, &1))
 
     route_matchers =
       routes
@@ -45,6 +48,12 @@ defmodule AshJsonApi.Resource.Persisters.DefineRouter do
      )}
   end
 
+  defp route_visible?(_resource, %{relationship: nil}), do: true
+
+  defp route_visible?(resource, %{relationship: relationship}) do
+    AshJsonApi.Resource.Info.show_field?(resource, relationship)
+  end
+
   # sobelow_skip ["DOS.StringToAtom"]
   def route_match(route) do
     split_route = String.split(route.route, "/", trim: true)