Doc: Actor maybe_load_role comment; ActorIsAdmin system user = admin

2026-02-03 15:00:24 +01:00 · 2026-02-03 15:00:24 +01:00 · 47b6a16177
commit 47b6a16177
parent 60a4181255
2 changed files with 5 additions and 2 deletions
--- a/lib/mv/authorization/actor.ex
+++ b/lib/mv/authorization/actor.ex
@ -133,6 +133,8 @@ defmodule Mv.Authorization.Actor do
    SystemActor.system_user?(actor) or permission_set_name(actor) in ["admin", :admin]
  end

+  # Load role only when it is nil (e.g. actor from session without role). ensure_loaded/1
+  # already handles %Ash.NotLoaded{}, so we do not double-load in the normal Ash path.
  defp maybe_load_role(%Mv.Accounts.User{role: nil} = user) do
    case Ash.load(user, :role, domain: Mv.Accounts, authorize?: false) do
      {:ok, loaded} -> loaded
--- a/lib/mv/authorization/checks/actor_is_admin.ex
+++ b/lib/mv/authorization/checks/actor_is_admin.ex
@ -1,9 +1,10 @@
 defmodule Mv.Authorization.Checks.ActorIsAdmin do
  @moduledoc """
-  Policy check: true when the actor's role has permission_set_name "admin".
+  Policy check: true when the actor is the system user or has permission_set_name "admin".

  Used to restrict actions (e.g. User.update_user for member link/unlink) to admins only.
-  Delegates to `Mv.Authorization.Actor.admin?/1` for consistency.
+  Delegates to `Mv.Authorization.Actor.admin?/1`, which returns true for the system actor
+  or for a user whose role has permission_set_name "admin".
  """
  use Ash.Policy.SimpleCheck