From 0dbbc9635303be74524e2e5b573e1b95ffe9330a Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Sat, 24 Jan 2026 19:13:11 +0100
Subject: [PATCH] Integrate AssignDefaultRole change into user creation actions

---
 lib/accounts/user.ex | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex
index badbd72..efac3b8 100644
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@@ -67,6 +67,13 @@ defmodule Mv.Accounts.User do
         identity_field :email
         hash_provider AshAuthentication.BcryptProvider
         confirmation_required? false
+
+        # NOTE: The auto-generated :register_with_password action does NOT assign a default role.
+        # This is intentional because:
+        # - In production, users are created via OIDC (:register_with_rauthy), which DOES assign roles
+        # - Manual user creation via :create_user DOES assign roles
+        # - Tests that need a role can use :create_user or manually assign via fixtures
+        # - The migration ensures existing users without roles get the "Mitglied" role
       end
     end
   end
@@ -115,6 +122,9 @@ defmodule Mv.Accounts.User do
       argument :member, :map, allow_nil?: true
       upsert? true
 
+      # Assign default "Mitglied" role to new users
+      change Mv.Accounts.User.Changes.AssignDefaultRole
+
       # Manage the member relationship during user creation
       change manage_relationship(:member, :member,
                # Look up existing member and relate to it
@@ -239,6 +249,8 @@ defmodule Mv.Accounts.User do
       upsert? true
       # Upsert based on oidc_id (primary match for existing OIDC users)
       upsert_identity :unique_oidc_id
+      # On upsert, only update email - preserve existing role_id
+      upsert_fields [:email]
 
       validate &__MODULE__.validate_oidc_id_present/2
 
@@ -261,6 +273,10 @@ defmodule Mv.Accounts.User do
       # - The LinkOidcAccountLive will auto-link passwordless users without password prompt
       validate Mv.Accounts.User.Validations.OidcEmailCollision
 
+      # Assign default "Mitglied" role to new OIDC users
+      # Note: upsert_fields [:email] ensures this doesn't overwrite existing users' roles
+      change Mv.Accounts.User.Changes.AssignDefaultRole
+
       # Sync user email to member when linking (User → Member)
       change Mv.EmailSync.Changes.SyncUserEmailToMember
     end