Add Role resource policies (defense-in-depth)

- PermissionSets: Role read :all for own_data, read_only, normal_user; admin keeps full CRUD
- Role resource: authorizers and policies with HasPermission
- Tests: role_policies_test.exs (read all, create/update/destroy admin only)
- Fix existing tests to pass actor or authorize?: false for Role operations

test/mv_web/authorization_test.exs

@@ -50,14 +50,14 @@ defmodule MvWeb.AuthorizationTest do
       assert Authorization.can?(admin, :destroy, Mv.Authorization.Role) == true
     end
 
-    test "non-admin cannot manage roles" do
+    test "non-admin can read roles but cannot create/update/destroy" do
       normal_user = %{
         id: "normal-123",
         role: %{permission_set_name: "normal_user"}
       }
 
+      assert Authorization.can?(normal_user, :read, Mv.Authorization.Role) == true
       assert Authorization.can?(normal_user, :create, Mv.Authorization.Role) == false
-      assert Authorization.can?(normal_user, :read, Mv.Authorization.Role) == false
       assert Authorization.can?(normal_user, :update, Mv.Authorization.Role) == false
       assert Authorization.can?(normal_user, :destroy, Mv.Authorization.Role) == false
     end

test/mv_web/live/role_live/show_test.exs

@@ -18,7 +18,7 @@ defmodule MvWeb.RoleLive.ShowTest do
   alias Mv.Authorization
   alias Mv.Authorization.Role
 
-  # Helper to create a role
+  # Helper to create a role (authorize?: false for test data setup)
   defp create_role(attrs \\ %{}) do
     default_attrs = %{
       name: "Test Role #{System.unique_integer([:positive])}",
@@ -28,7 +28,7 @@ defmodule MvWeb.RoleLive.ShowTest do
 
     attrs = Map.merge(default_attrs, attrs)
 
-    case Authorization.create_role(attrs) do
+    case Authorization.create_role(attrs, authorize?: false) do
       {:ok, role} -> role
       {:error, error} -> raise "Failed to create role: #{inspect(error)}"
     end
@@ -38,7 +38,7 @@ defmodule MvWeb.RoleLive.ShowTest do
   defp create_admin_user(conn, actor) do
     # Create admin role
     admin_role =
-      case Authorization.list_roles() do
+      case Authorization.list_roles(authorize?: false) do
         {:ok, roles} ->
           case Enum.find(roles, &(&1.name == "Admin")) do
             nil ->

test/mv_web/live/role_live_test.exs

@@ -9,7 +9,7 @@ defmodule MvWeb.RoleLiveTest do
   alias Mv.Authorization
   alias Mv.Authorization.Role
 
-  # Helper to create a role
+  # Helper to create a role (authorize?: false for test data setup)
   defp create_role(attrs \\ %{}) do
     default_attrs = %{
       name: "Test Role #{System.unique_integer([:positive])}",
@@ -19,7 +19,7 @@ defmodule MvWeb.RoleLiveTest do
 
     attrs = Map.merge(default_attrs, attrs)
 
-    case Authorization.create_role(attrs) do
+    case Authorization.create_role(attrs, authorize?: false) do
       {:ok, role} -> role
       {:error, error} -> raise "Failed to create role: #{inspect(error)}"
     end
@@ -29,7 +29,7 @@ defmodule MvWeb.RoleLiveTest do
   defp create_admin_user(conn, actor) do
     # Create admin role
     admin_role =
-      case Authorization.list_roles() do
+      case Authorization.list_roles(authorize?: false) do
         {:ok, roles} ->
           case Enum.find(roles, &(&1.name == "Admin")) do
             nil ->
@@ -332,7 +332,7 @@ defmodule MvWeb.RoleLiveTest do
       assert match?({:error, {:redirect, %{to: "/admin/roles"}}}, result)
     end
 
-    test "updates role name", %{conn: conn, role: role} do
+    test "updates role name", %{conn: conn, role: role, actor: actor} do
       {:ok, view, _html} = live(conn, "/admin/roles/#{role.id}/edit?return_to=show")
 
       attrs = %{
@@ -348,7 +348,7 @@ defmodule MvWeb.RoleLiveTest do
       assert_redirect(view, "/admin/roles/#{role.id}")
 
       # Verify update
-      {:ok, updated_role} = Authorization.get_role(role.id)
+      {:ok, updated_role} = Authorization.get_role(role.id, actor: actor)
       assert updated_role.name == "Updated Role Name"
     end
 
@@ -377,7 +377,7 @@ defmodule MvWeb.RoleLiveTest do
       assert_redirect(view, "/admin/roles/#{system_role.id}")
 
       # Verify update
-      {:ok, updated_role} = Authorization.get_role(system_role.id)
+      {:ok, updated_role} = Authorization.get_role(system_role.id, actor: actor)
       assert updated_role.permission_set_name == "read_only"
     end
   end
@@ -390,7 +390,7 @@ defmodule MvWeb.RoleLiveTest do
     end
 
     @tag :slow
-    test "deletes non-system role", %{conn: conn} do
+    test "deletes non-system role", %{conn: conn, actor: actor} do
       role = create_role()
 
       {:ok, view, html} = live(conn, "/admin/roles")
@@ -404,7 +404,7 @@ defmodule MvWeb.RoleLiveTest do
 
       # Verify deletion by checking database
       assert {:error, %Ash.Error.Invalid{errors: [%Ash.Error.Query.NotFound{}]}} =
-               Authorization.get_role(role.id)
+               Authorization.get_role(role.id, actor: actor)
     end
 
     test "fails to delete system role with error message", %{conn: conn, actor: actor} do
@@ -430,7 +430,7 @@ defmodule MvWeb.RoleLiveTest do
       assert render(view) =~ "System roles cannot be deleted"
 
       # Role should still exist
-      {:ok, _role} = Authorization.get_role(system_role.id)
+      {:ok, _role} = Authorization.get_role(system_role.id, actor: actor)
     end
   end