local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 7 Projects 3 Releases Packages 1 Activity Actions

Add admin authorization check for regenerate cycles button

Browse source 
Restrict UI access to cycle regeneration to administrators only
to prevent policy bypass via user interface
This commit is contained in:
Moritz 2026-01-21 08:02:38 +01:00 committed by Simon
parent 15bf76ab25
commit 214b84b9b3
Signed by: simon
GPG key ID: 40E7A58C4AA1EDB2
1 changed files with 43 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

10
lib/mv_web/live/member_live/show/membership_fees_component.ex
View file

@ -554,6 +554,11 @@ defmodule MvWeb.MemberLive.Show.MembershipFeesComponent do
end end
def handle_event("regenerate_cycles", _params, socket) do def handle_event("regenerate_cycles", _params, socket) do
actor = current_actor(socket)
# SECURITY: Only admins can manually regenerate cycles via UI
# Cycle generation itself uses system actor, but UI access should be restricted
if actor.role && actor.role.permission_set_name == "admin" do
socket = assign(socket, :regenerating, true) socket = assign(socket, :regenerating, true)
member = socket.assigns.member member = socket.assigns.member
@ -594,6 +599,11 @@ defmodule MvWeb.MemberLive.Show.MembershipFeesComponent do
|> assign(:regenerating, false) |> assign(:regenerating, false)
|> put_flash(:error, format_error(error))} |> put_flash(:error, format_error(error))}
end end
else
{:noreply,
socket
|> put_flash(:error, gettext("Only administrators can regenerate cycles"))}
end
end end
def handle_event("edit_cycle_amount", %{"cycle_id" => cycle_id}, socket) do def handle_event("edit_cycle_amount", %{"cycle_id" => cycle_id}, socket) do