local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Add Actor.permission_set_name/1 and admin?/1 for consistent capability checks

Browse source 
- Actor.permission_set_name(actor) returns role's permission set (supports nil role load).
- Actor.admin?(actor) returns true for system user or admin permission set.
- ActorIsAdmin policy check delegates to Actor.admin?/1.
This commit is contained in:
Moritz 2026-02-03 14:34:24 +01:00
parent c998d14b95
commit 3d46ba655f
2 changed files with 52 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

13
lib/mv/authorization/checks/actor_is_admin.ex
View file

@ -3,20 +3,15 @@ defmodule Mv.Authorization.Checks.ActorIsAdmin do
Policy check: true when the actor's role has permission_set_name "admin".
Used to restrict actions (e.g. User.update_user for member link/unlink) to admins only.
Delegates to `Mv.Authorization.Actor.admin?/1` for consistency.
"""
use Ash.Policy.SimpleCheck
alias Mv.Authorization.Actor
@impl true
def describe(_opts), do: "actor has admin permission set"
@impl true
def match?(nil, _context, _opts), do: false
def match?(actor, _context, _opts) do
ps_name =
get_in(actor, [Access.key(:role), Access.key(:permission_set_name)]) ||
get_in(actor, [Access.key("role"), Access.key("permission_set_name")])
ps_name == "admin"
end
def match?(actor, _context, _opts), do: Actor.admin?(actor)
end