Fix authorization bypass in seeds and validations
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
- Add authorize?: false to all bootstrap operations in seeds.exs - Fix user-linking validation to respect authorize? context flag - Prevents authorization errors during initial setup when no actor exists yet
This commit is contained in:
parent
67b5d623cf
commit
079d270768
2 changed files with 47 additions and 17 deletions
|
|
@ -407,8 +407,16 @@ defmodule Mv.Membership.Member do
|
|||
actor = Map.get(changeset.context || %{}, :actor)
|
||||
|
||||
# Check the current state of the user in the database
|
||||
# Pass actor to ensure proper authorization (User might have policies in future)
|
||||
case Ash.get(Mv.Accounts.User, user_id, actor: actor) do
|
||||
# Check if authorization is disabled in the parent operation's context
|
||||
# Access private context where authorize? flag is stored
|
||||
authorize? =
|
||||
case get_in(changeset.context, [:private, :authorize?]) do
|
||||
false -> false
|
||||
_ -> true
|
||||
end
|
||||
|
||||
# Pass actor and authorize? to ensure proper authorization (User might have policies in future)
|
||||
case Ash.get(Mv.Accounts.User, user_id, actor: actor, authorize?: authorize?) do
|
||||
# User is free to be linked
|
||||
{:ok, %{member_id: nil}} ->
|
||||
:ok
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue