MembershipFeeCycle: own_data read :linked via bypass and HasPermission scope

- own_data gets read scope :linked; apply_scope in HasPermission; bypass check for own_data.
- PermissionSetsTest expects own_data :linked, others :all for MFC read.

test/mv/authorization/permission_sets_test.exs

@@ -680,7 +680,7 @@ defmodule Mv.Authorization.PermissionSetsTest do
   end
 
   describe "get_permissions/1 - MembershipFeeCycle resource" do
-    test "all permission sets have MembershipFeeCycle read with scope :all" do
+    test "all permission sets have MembershipFeeCycle read; own_data uses :linked, others :all" do
       for set <- PermissionSets.all_permission_sets() do
         permissions = PermissionSets.get_permissions(set)
 
@@ -690,8 +690,12 @@ defmodule Mv.Authorization.PermissionSetsTest do
           end)
 
         assert mfc_read != nil, "Permission set #{set} should have MembershipFeeCycle read"
-        assert mfc_read.scope == :all
         assert mfc_read.granted == true
+
+        expected_scope = if set == :own_data, do: :linked, else: :all
+
+        assert mfc_read.scope == expected_scope,
+               "Permission set #{set} should have MembershipFeeCycle read scope #{expected_scope}, got #{mfc_read.scope}"
       end
     end
 

test/mv/membership_fees/membership_fee_cycle_policies_test.exs

@@ -2,9 +2,9 @@ defmodule Mv.MembershipFees.MembershipFeeCyclePoliciesTest do
   @moduledoc """
   Tests for MembershipFeeCycle resource authorization policies.
 
-  Verifies read_only can only read (no update/mark_as_paid);
-  normal_user and admin can read and update (including mark_as_paid);
-  only admin can create and destroy.
+  Verifies own_data can only read :linked (linked member's cycles);
+  read_only can only read (no create/update/destroy);
+  normal_user and admin can read, create, update, destroy (including mark_as_paid).
   """
   use Mv.DataCase, async: false
 
@@ -69,6 +69,64 @@ defmodule Mv.MembershipFees.MembershipFeeCyclePoliciesTest do
     cycle
   end
 
+  describe "own_data permission set" do
+    setup %{actor: actor} do
+      user = Mv.Fixtures.user_with_role_fixture("own_data")
+      linked_member = create_member_fixture()
+      other_member = create_member_fixture()
+      fee_type = create_fee_type_fixture()
+      admin = Mv.Fixtures.user_with_role_fixture("admin")
+
+      user =
+        user
+        |> Ash.Changeset.for_update(:update, %{}, domain: Mv.Accounts)
+        |> Ash.Changeset.force_change_attribute(:member_id, linked_member.id)
+        |> Ash.update(actor: admin, domain: Mv.Accounts)
+
+      {:ok, user} = Ash.load(user, :role, domain: Mv.Accounts, actor: actor)
+
+      {:ok, cycle_linked} =
+        MembershipFees.create_membership_fee_cycle(
+          %{
+            member_id: linked_member.id,
+            membership_fee_type_id: fee_type.id,
+            cycle_start: Date.utc_today(),
+            amount: Decimal.new("10.00"),
+            status: :unpaid
+          },
+          actor: admin
+        )
+
+      {:ok, cycle_other} =
+        MembershipFees.create_membership_fee_cycle(
+          %{
+            member_id: other_member.id,
+            membership_fee_type_id: fee_type.id,
+            cycle_start: Date.add(Date.utc_today(), -365),
+            amount: Decimal.new("10.00"),
+            status: :unpaid
+          },
+          actor: admin
+        )
+
+      %{user: user, cycle_linked: cycle_linked, cycle_other: cycle_other}
+    end
+
+    test "can read only linked member's cycles", %{
+      user: user,
+      cycle_linked: cycle_linked,
+      cycle_other: cycle_other
+    } do
+      {:ok, list} =
+        Mv.MembershipFees.MembershipFeeCycle
+        |> Ash.read(actor: user, domain: Mv.MembershipFees)
+
+      ids = Enum.map(list, & &1.id)
+      assert cycle_linked.id in ids
+      refute cycle_other.id in ids
+    end
+  end
+
   describe "read_only permission set" do
     setup %{actor: actor} do
       user = Mv.Fixtures.user_with_role_fixture("read_only")