Restrict set_vereinfacht_contact_id to system actor
- Add ActorIsSystemUser policy check - Member set_vereinfacht_contact_id only allowed for system user
This commit is contained in:
parent
9d3c72acff
commit
1188320844
GPG key ID:
1020A035E5DD0824
2 changed files with 18 additions and 3 deletions
15
lib/mv/authorization/checks/actor_is_system_user.ex
Normal file
15
lib/mv/authorization/checks/actor_is_system_user.ex
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
defmodule Mv.Authorization.Checks.ActorIsSystemUser do
|
||||
@moduledoc """
|
||||
Policy check: true only when the actor is the system user (e.g. system@mila.local).
|
||||
|
||||
Used to restrict internal actions (e.g. Member.set_vereinfacht_contact_id) so that
|
||||
only code paths using SystemActor can perform them, not regular admins.
|
||||
"""
|
||||
use Ash.Policy.SimpleCheck
|
||||
|
||||
@impl true
|
||||
def describe(_opts), do: "actor is the system user"
|
||||
|
||||
@impl true
|
||||
def match?(actor, _context, _opts), do: Mv.Helpers.SystemActor.system_user?(actor)
|
||||
end
|
||||
Loading…
Add table
Add a link
Reference in a new issue