fix: handle wrapper errors with empty inner errors list (#423)

When Ash.Error.Forbidden (or Framework, Invalid, Unknown) is raised with
no inner errors, to_json_api_errors flat-mapped over [] and produced zero
JSON:API errors. This caused downstream code to proceed as if no error
occurred, ultimately crashing with KeyError on missing :result assign.

Add a guard (errors != []) to the wrapper-unwrapping clause so empty
wrappers fall through to the catch-all, and add ToJsonApiError protocol
implementations for the four wrapper types so they produce a proper
error response.

Closes #422

Author: barnabasJ

lib/ash_json_api/error/error.ex

@@ -27,7 +27,7 @@ defmodule AshJsonApi.Error do
   end
 
   def to_json_api_errors(domain, resource, %mod{errors: errors}, type)
-      when mod in [Forbidden, Framework, Invalid, Unknown] do
+      when mod in [Forbidden, Framework, Invalid, Unknown] and errors != [] do
     Enum.flat_map(errors, &to_json_api_errors(domain, resource, &1, type))
   end
 
@@ -338,6 +338,19 @@ defimpl AshJsonApi.ToJsonApiError, for: Ash.Error.Query.Required do
   end
 end
 
+defimpl AshJsonApi.ToJsonApiError,
+  for: [Ash.Error.Forbidden, Ash.Error.Framework, Ash.Error.Invalid, Ash.Error.Unknown] do
+  def to_json_api_error(error) do
+    %AshJsonApi.Error{
+      id: Ash.UUID.generate(),
+      status_code: AshJsonApi.Error.class_to_status(error.class),
+      code: to_string(error.class),
+      title: error.class |> to_string() |> String.capitalize(),
+      detail: to_string(error.class)
+    }
+  end
+end
+
 defimpl AshJsonApi.ToJsonApiError, for: Ash.Error.Forbidden.Policy do
   def to_json_api_error(error) do
     message =

test/acceptance/patch_test.exs

@@ -200,6 +200,10 @@ defmodule Test.Acceptance.PatchTest do
           route "/fake_update/:id"
         end
 
+        patch :forbidden_update do
+          route "/forbidden_update/:id"
+        end
+
         related :author, :read
         patch_relationship :author
       end
@@ -237,6 +241,15 @@ defmodule Test.Acceptance.PatchTest do
         end)
       end
 
+      action :forbidden_update, :struct do
+        constraints(instance_of: __MODULE__)
+        argument(:id, :uuid, allow_nil?: false)
+
+        run(fn _input, _ ->
+          {:error, Ash.Error.Forbidden.exception([])}
+        end)
+      end
+
       read :by_name do
         argument :name, :string do
           allow_nil?(false)
@@ -715,6 +728,35 @@ defmodule Test.Acceptance.PatchTest do
     end
   end
 
+  describe "patch with generic action returning forbidden" do
+    setup do
+      id = Ecto.UUID.generate()
+
+      post =
+        Post
+        |> Ash.Changeset.for_create(:create, %{name: "Valid Post", id: id})
+        |> Ash.create!()
+
+      %{post: post}
+    end
+
+    test "returns 403 when generic action returns Forbidden error", %{post: post} do
+      response =
+        Domain
+        |> patch(
+          "/posts/forbidden_update/#{post.id}",
+          %{
+            data: %{attributes: %{}}
+          },
+          status: 403
+        )
+
+      assert %{"errors" => [error]} = response.resp_body
+      assert error["code"] == "forbidden"
+      assert error["status"] == "403"
+    end
+  end
+
   describe "patch with composite primary key" do
     setup do
       author =