Doc: Loader auth-independent for link checks; email-sync rule rationale

2026-02-03 15:00:14 +01:00 · 2026-02-03 15:00:14 +01:00 · 4e6b7305b6
commit 4e6b7305b6
parent 4ea31f0f37
2 changed files with 9 additions and 7 deletions
--- a/lib/mv/email_sync/loader.ex
+++ b/lib/mv/email_sync/loader.ex
@ -3,13 +3,15 @@ defmodule Mv.EmailSync.Loader do
  Helper functions for loading linked records in email synchronization.
  Centralizes the logic for retrieving related User/Member entities.

-  ## Authorization
+  ## Authorization-independent link checks

-  This module runs systemically and uses the system actor for all operations.
-  This ensures that email synchronization always works, regardless of user permissions.
-
-  All functions use `Mv.Helpers.SystemActor.get_system_actor/0` to bypass
-  user permission checks, as email sync is a mandatory side effect.
+  All functions use the **system actor** for the load. Link existence
+  (linked vs not linked) is therefore determined **independently of the
+  current request actor**. This is required so that validations (e.g.
+  `EmailChangePermission`, `EmailNotUsedByOtherUser`) can correctly decide
+  "member is linked" even when the current user would not have read permission
+  on the related User. Using the request actor would otherwise allow
+  treating a linked member as unlinked and bypass the permission rule.
  """
  alias Mv.Helpers
  alias Mv.Helpers.SystemActor