local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Add actor parameter to all tests requiring authorization

Browse source 
This commit adds actor: system_actor to all Ash operations in tests that
require authorization.
This commit is contained in:
Moritz 2026-01-23 20:00:24 +01:00
parent 686f69c9e9
commit 0f48a9b15a
Signed by: moritz
GPG key ID: 1020A035E5DD0824
75 changed files with 4686 additions and 2859 deletions
Download patch file Download diff file Expand all files Collapse all files

19
test/mv/authorization/actor_test.exs
View file

@ -7,12 +7,17 @@ defmodule Mv.Authorization.ActorTest do
alias Mv.Accounts
alias Mv.Authorization.Actor
setup do
system_actor = Mv.Helpers.SystemActor.get_system_actor()
%{actor: system_actor}
end
describe "ensure_loaded/1" do
test "returns nil when actor is nil" do
assert Actor.ensure_loaded(nil) == nil
end
test "returns actor as-is when role is already loaded" do
test "returns actor as-is when role is already loaded", %{actor: actor} do
# Create user with role
{:ok, user} =
Accounts.User
@ -20,7 +25,7 @@ defmodule Mv.Authorization.ActorTest do
email: "test#{System.unique_integer([:positive])}@example.com",
password: "testpassword123"
})
|> Ash.create()
|> Ash.create(actor: actor)
# Load role
{:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts)
@ -31,7 +36,7 @@ defmodule Mv.Authorization.ActorTest do
assert result.role != %Ash.NotLoaded{}
end
test "loads role when it's NotLoaded" do
test "loads role when it's NotLoaded", %{actor: actor} do
# Create a role first
{:ok, role} =
Mv.Authorization.Role
@ -40,7 +45,7 @@ defmodule Mv.Authorization.ActorTest do
description: "Test role",
permission_set_name: "own_data"
})
|> Ash.create()
|> Ash.create(actor: actor)
# Create user with role
{:ok, user} =
@ -49,18 +54,18 @@ defmodule Mv.Authorization.ActorTest do
email: "test#{System.unique_integer([:positive])}@example.com",
password: "testpassword123"
})
|> Ash.create()
|> Ash.create(actor: actor)
# Assign role to user
{:ok, user_with_role} =
user
|> Ash.Changeset.for_update(:update, %{})
|> Ash.Changeset.manage_relationship(:role, role, type: :append_and_remove)
|> Ash.update()
|> Ash.update(actor: actor)
# Fetch user again WITHOUT loading role (simulates "role not preloaded" scenario)
{:ok, user_without_role_loaded} =
Ash.get(Accounts.User, user_with_role.id, domain: Mv.Accounts)
Ash.get(Accounts.User, user_with_role.id, domain: Mv.Accounts, actor: actor)
# User has role as NotLoaded (relationship not preloaded)
assert match?(%Ash.NotLoaded{}, user_without_role_loaded.role)

5
test/mv/authorization/checks/has_permission_fail_closed_test.exs
View file

@ -36,7 +36,10 @@ defmodule Mv.Authorization.Checks.HasPermissionFailClosedTest do
|> Ash.Query.new()
|> Ash.Query.filter_input(deny_filter)
{:ok, results} = Ash.read(query, domain: Mv.Membership, authorize?: false)
system_actor = Mv.Helpers.SystemActor.get_system_actor()
{:ok, results} =
Ash.read(query, domain: Mv.Membership, authorize?: false, actor: system_actor)
# Assert: deny-filter must match nothing
assert results == []

9
test/mv/authorization/role_test.exs
View file

@ -6,6 +6,11 @@ defmodule Mv.Authorization.RoleTest do
alias Mv.Authorization
setup do
system_actor = Mv.Helpers.SystemActor.get_system_actor()
%{actor: system_actor}
end
describe "permission_set_name validation" do
test "accepts valid permission set names" do
attrs = %{
@ -42,7 +47,7 @@ defmodule Mv.Authorization.RoleTest do
end
describe "system role deletion protection" do
test "prevents deletion of system roles" do
test "prevents deletion of system roles", %{actor: actor} do
# is_system_role is not settable via public API, so we use Ash.Changeset directly
changeset =
Mv.Authorization.Role
@ -52,7 +57,7 @@ defmodule Mv.Authorization.RoleTest do
})
|> Ash.Changeset.force_change_attribute(:is_system_role, true)
{:ok, system_role} = Ash.create(changeset)
{:ok, system_role} = Ash.create(changeset, actor: actor)
assert {:error, %Ash.Error.Invalid{errors: errors}} =
Authorization.destroy_role(system_role)