local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Doc: Actor maybe_load_role comment; ActorIsAdmin system user = admin

Browse source
This commit is contained in:
Moritz 2026-02-03 15:00:24 +01:00
parent 60a4181255
commit 47b6a16177
Signed by: moritz
GPG key ID: 1020A035E5DD0824
2 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/mv/authorization/actor.ex
View file

@ -133,6 +133,8 @@ defmodule Mv.Authorization.Actor do
SystemActor.system_user?(actor) or permission_set_name(actor) in ["admin", :admin] SystemActor.system_user?(actor) or permission_set_name(actor) in ["admin", :admin]
end end
# Load role only when it is nil (e.g. actor from session without role). ensure_loaded/1
# already handles %Ash.NotLoaded{}, so we do not double-load in the normal Ash path.
defp maybe_load_role(%Mv.Accounts.User{role: nil} = user) do defp maybe_load_role(%Mv.Accounts.User{role: nil} = user) do
case Ash.load(user, :role, domain: Mv.Accounts, authorize?: false) do case Ash.load(user, :role, domain: Mv.Accounts, authorize?: false) do
{:ok, loaded} -> loaded {:ok, loaded} -> loaded

5
lib/mv/authorization/checks/actor_is_admin.ex
View file

@ -1,9 +1,10 @@
defmodule Mv.Authorization.Checks.ActorIsAdmin do defmodule Mv.Authorization.Checks.ActorIsAdmin do
@moduledoc """ @moduledoc """
Policy check: true when the actor's role has permission_set_name "admin". Policy check: true when the actor is the system user or has permission_set_name "admin".
Used to restrict actions (e.g. User.update_user for member link/unlink) to admins only. Used to restrict actions (e.g. User.update_user for member link/unlink) to admins only.
Delegates to `Mv.Authorization.Actor.admin?/1` for consistency. Delegates to `Mv.Authorization.Actor.admin?/1`, which returns true for the system actor
or for a user whose role has permission_set_name "admin".
""" """
use Ash.Policy.SimpleCheck use Ash.Policy.SimpleCheck