Add Role resource policies (defense-in-depth)

- PermissionSets: Role read :all for own_data, read_only, normal_user; admin keeps full CRUD - Role resource: authorizers and policies with HasPermission - Tests: role_policies_test.exs (read all, create/update/destroy admin only) - Fix existing tests to pass actor or authorize?: false for Role operations
2026-02-04 12:37:48 +01:00 · 2026-02-04 12:37:48 +01:00 · 4d3a64c177
commit 4d3a64c177
parent 10f37a1246
8 changed files with 304 additions and 51 deletions
--- a/test/mv_web/live/role_live_test.exs
+++ b/test/mv_web/live/role_live_test.exs
@ -9,7 +9,7 @@ defmodule MvWeb.RoleLiveTest do
  alias Mv.Authorization
  alias Mv.Authorization.Role

-  # Helper to create a role
+  # Helper to create a role (authorize?: false for test data setup)
  defp create_role(attrs \\ %{}) do
    default_attrs = %{
      name: "Test Role #{System.unique_integer([:positive])}",
@ -19,7 +19,7 @@ defmodule MvWeb.RoleLiveTest do

    attrs = Map.merge(default_attrs, attrs)

-    case Authorization.create_role(attrs) do
+    case Authorization.create_role(attrs, authorize?: false) do
      {:ok, role} -> role
      {:error, error} -> raise "Failed to create role: #{inspect(error)}"
    end
@ -29,7 +29,7 @@ defmodule MvWeb.RoleLiveTest do
  defp create_admin_user(conn, actor) do
    # Create admin role
    admin_role =
-      case Authorization.list_roles() do
+      case Authorization.list_roles(authorize?: false) do
        {:ok, roles} ->
          case Enum.find(roles, &(&1.name == "Admin")) do
            nil ->
@ -332,7 +332,7 @@ defmodule MvWeb.RoleLiveTest do
      assert match?({:error, {:redirect, %{to: "/admin/roles"}}}, result)
    end

-    test "updates role name", %{conn: conn, role: role} do
+    test "updates role name", %{conn: conn, role: role, actor: actor} do
      {:ok, view, _html} = live(conn, "/admin/roles/#{role.id}/edit?return_to=show")

      attrs = %{
@ -348,7 +348,7 @@ defmodule MvWeb.RoleLiveTest do
      assert_redirect(view, "/admin/roles/#{role.id}")

      # Verify update
-      {:ok, updated_role} = Authorization.get_role(role.id)
+      {:ok, updated_role} = Authorization.get_role(role.id, actor: actor)
      assert updated_role.name == "Updated Role Name"
    end

@ -377,7 +377,7 @@ defmodule MvWeb.RoleLiveTest do
      assert_redirect(view, "/admin/roles/#{system_role.id}")

      # Verify update
-      {:ok, updated_role} = Authorization.get_role(system_role.id)
+      {:ok, updated_role} = Authorization.get_role(system_role.id, actor: actor)
      assert updated_role.permission_set_name == "read_only"
    end
  end
@ -390,7 +390,7 @@ defmodule MvWeb.RoleLiveTest do
    end

    @tag :slow
-    test "deletes non-system role", %{conn: conn} do
+    test "deletes non-system role", %{conn: conn, actor: actor} do
      role = create_role()

      {:ok, view, html} = live(conn, "/admin/roles")
@ -404,7 +404,7 @@ defmodule MvWeb.RoleLiveTest do

      # Verify deletion by checking database
      assert {:error, %Ash.Error.Invalid{errors: [%Ash.Error.Query.NotFound{}]}} =
-               Authorization.get_role(role.id)
+               Authorization.get_role(role.id, actor: actor)
    end

    test "fails to delete system role with error message", %{conn: conn, actor: actor} do
@ -430,7 +430,7 @@ defmodule MvWeb.RoleLiveTest do
      assert render(view) =~ "System roles cannot be deleted"

      # Role should still exist
-      {:ok, _role} = Authorization.get_role(system_role.id)
+      {:ok, _role} = Authorization.get_role(system_role.id, actor: actor)
    end
  end