From 47b6a16177c50e593a71c619a8204f1fb11311a0 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 3 Feb 2026 15:00:24 +0100
Subject: [PATCH] Doc: Actor maybe_load_role comment; ActorIsAdmin system user
 = admin

---
 lib/mv/authorization/actor.ex                 | 2 ++
 lib/mv/authorization/checks/actor_is_admin.ex | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/mv/authorization/actor.ex b/lib/mv/authorization/actor.ex
index bfc99ed..edc6b8b 100644
--- a/lib/mv/authorization/actor.ex
+++ b/lib/mv/authorization/actor.ex
@@ -133,6 +133,8 @@ defmodule Mv.Authorization.Actor do
     SystemActor.system_user?(actor) or permission_set_name(actor) in ["admin", :admin]
   end
 
+  # Load role only when it is nil (e.g. actor from session without role). ensure_loaded/1
+  # already handles %Ash.NotLoaded{}, so we do not double-load in the normal Ash path.
   defp maybe_load_role(%Mv.Accounts.User{role: nil} = user) do
     case Ash.load(user, :role, domain: Mv.Accounts, authorize?: false) do
       {:ok, loaded} -> loaded
diff --git a/lib/mv/authorization/checks/actor_is_admin.ex b/lib/mv/authorization/checks/actor_is_admin.ex
index 8ab038a..413c6c7 100644
--- a/lib/mv/authorization/checks/actor_is_admin.ex
+++ b/lib/mv/authorization/checks/actor_is_admin.ex
@@ -1,9 +1,10 @@
 defmodule Mv.Authorization.Checks.ActorIsAdmin do
   @moduledoc """
-  Policy check: true when the actor's role has permission_set_name "admin".
+  Policy check: true when the actor is the system user or has permission_set_name "admin".
 
   Used to restrict actions (e.g. User.update_user for member link/unlink) to admins only.
-  Delegates to `Mv.Authorization.Actor.admin?/1` for consistency.
+  Delegates to `Mv.Authorization.Actor.admin?/1`, which returns true for the system actor
+  or for a user whose role has permission_set_name "admin".
   """
   use Ash.Policy.SimpleCheck