local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 59 Pull requests 3 Projects 2 Releases Packages 1 Activity Actions

Restrict set_vereinfacht_contact_id to system actor

Browse source 
- Add ActorIsSystemUser policy check
- Member set_vereinfacht_contact_id only allowed for system user
This commit is contained in:
Moritz 2026-02-23 19:21:13 +01:00
parent 9d3c72acff
commit 1188320844
Signed by: moritz
GPG key ID: 1020A035E5DD0824
2 changed files with 18 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/membership/member.ex
View file

@ -333,10 +333,10 @@ defmodule Mv.Membership.Member do
authorize_if Mv.Authorization.Checks.HasPermission
end
# Internal sync action: allow setting vereinfacht_contact_id (used only by SyncContact change).
# Internal sync action: only SystemActor may set vereinfacht_contact_id (used by SyncContact change).
policy action(:set_vereinfacht_contact_id) do
description "Allow internal sync to set Vereinfacht contact ID"
authorize_if always()
description "Only system actor may set Vereinfacht contact ID"
authorize_if Mv.Authorization.Checks.ActorIsSystemUser
end
# CREATE/UPDATE: Forbid memberuser link unless admin, then check permissions