Version policies

[rgraff]

A couple issues:

• Version resources are created with an authorize?: false but does this fail if the api has authorize :always
• Are policies authorized currently or are they globably readable (footgun)
• Policies can be added via a mixin. Should update the readme.
• Can we declare policies in the paper_trail section. Might be a lift not worth doing if we can get full support via mixin.

[zachdaniel]

Yeah, I think mixins are the way to go for version policies. You're right that it could be a footman that there are no policies on that resource by default, but I'm not sure yet how to handle that ergonomically. Yes, authorize :always will cause version resources not to fail, but what we can do is set some context i.e %{ash_paper_trail_action?: true} and have a policy that checks for that, so users with authorize :always have a way to approve the actions done by this extension.

[rgraff]

Based on that input I think we should:

• Add authorizer and bypass policy for a context (%{ash_paper_trail_action?: true}) to essentially make them create only
• Add a resource option to make them always readable, scoped only by tenant (if applicable)
• Update readme with example of how to apply policies via mixin for more fine-grained read controls.