local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 72 Pull requests 3 Projects 4 Releases Packages 1 Activity Actions

Security: Fix critical deny-filter bug and improve authorization
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source 
CRITICAL FIX: Deny-filter was allowing all records instead of denying
Fix: User validation in Member now uses actor from changeset.context
This commit is contained in:
Moritz 2026-01-08 23:12:07 +01:00
parent e5eb3b7e89
commit 05cbd833bc
Signed by: moritz
GPG key ID: 1020A035E5DD0824
4 changed files with 25 additions and 332 deletions
Download patch file Download diff file Expand all files Collapse all files

4
test/mv/authorization/checks/has_permission_integration_test.exs
View file

@ -28,7 +28,7 @@ defmodule Mv.Authorization.Checks.HasPermissionIntegrationTest do
end
describe "Filter Expression Structure - :linked scope" do
test "Member filter uses user.id relationship path" do
test "Member filter uses actor.member_id (inverse relationship)" do
actor = create_actor_with_role("own_data", member_id: "member-123")
authorizer = create_authorizer(Mv.Membership.Member, :read)
@ -42,7 +42,7 @@ defmodule Mv.Authorization.Checks.HasPermissionIntegrationTest do
assert is_list(filter) or is_map(filter)
end
test "CustomFieldValue filter uses member.user.id relationship path" do
test "CustomFieldValue filter uses actor.member_id (via member relationship)" do
actor = create_actor_with_role("own_data", member_id: "member-123")
authorizer = create_authorizer(Mv.Membership.CustomFieldValue, :read)