local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 72 Pull requests 3 Projects 4 Releases Packages 1 Activity Actions

Fix: Seeds use admin actor instead of NoActor bypass

Browse source 
This ensures seeds work correctly with the new fail-closed NoActor
policy in production, using proper authorization instead of bypass.
This commit is contained in:
Moritz 2026-01-08 22:54:51 +01:00
parent 6846363132
commit 4fffeeaaa0
Signed by: moritz
GPG key ID: 1020A035E5DD0824
1 changed files with 36 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

46
priv/repo/seeds.exs
View file

@ -162,6 +162,17 @@ if admin_role do
|> Ash.update!() |> Ash.update!()
end end
# Load admin user with role for use as actor in member operations
# This ensures all member operations have proper authorization
# If admin role creation failed, we cannot proceed with member operations
admin_user_with_role =
if admin_role do
admin_user
|> Ash.load!(:role)
else
raise "Failed to create or find admin role. Cannot proceed with member seeding."
end
# Load all membership fee types for assignment # Load all membership fee types for assignment
# Sort by name to ensure deterministic order # Sort by name to ensure deterministic order
all_fee_types = all_fee_types =
@ -236,7 +247,8 @@ Enum.each(member_attrs_list, fn member_attrs ->
member = member =
Membership.create_member!(member_attrs_without_fee_type, Membership.create_member!(member_attrs_without_fee_type,
upsert?: true, upsert?: true,
upsert_identity: :unique_email upsert_identity: :unique_email,
actor: admin_user_with_role
) )
# Only set membership_fee_type_id if member doesn't have one yet (idempotent) # Only set membership_fee_type_id if member doesn't have one yet (idempotent)
@ -247,7 +259,7 @@ Enum.each(member_attrs_list, fn member_attrs ->
|> Ash.Changeset.for_update(:update_member, %{ |> Ash.Changeset.for_update(:update_member, %{
membership_fee_type_id: member_attrs_without_status.membership_fee_type_id membership_fee_type_id: member_attrs_without_status.membership_fee_type_id
}) })
|> Ash.update!() |> Ash.update!(actor: admin_user_with_role)
else else
member member
end end
@ -299,7 +311,7 @@ Enum.each(member_attrs_list, fn member_attrs ->
if cycle.status != status do if cycle.status != status do
cycle cycle
|> Ash.Changeset.for_update(:update, %{status: status}) |> Ash.Changeset.for_update(:update, %{status: status})
|> Ash.update!() |> Ash.update!(actor: admin_user_with_role)
end end
end) end)
end end
@ -371,13 +383,15 @@ Enum.with_index(linked_members)
Membership.create_member!( Membership.create_member!(
Map.put(member_attrs_without_fee_type, :user, %{id: user.id}), Map.put(member_attrs_without_fee_type, :user, %{id: user.id}),
upsert?: true, upsert?: true,
upsert_identity: :unique_email upsert_identity: :unique_email,
actor: admin_user_with_role
) )
else else
# User already has a member, just create the member without linking - use upsert to prevent duplicates # User already has a member, just create the member without linking - use upsert to prevent duplicates
Membership.create_member!(member_attrs_without_fee_type, Membership.create_member!(member_attrs_without_fee_type,
upsert?: true, upsert?: true,
upsert_identity: :unique_email upsert_identity: :unique_email,
actor: admin_user_with_role
) )
end end
@ -391,7 +405,7 @@ Enum.with_index(linked_members)
member member
|> Ash.Changeset.for_update(:update_member, %{membership_fee_type_id: fee_type.id}) |> Ash.Changeset.for_update(:update_member, %{membership_fee_type_id: fee_type.id})
|> Ash.update!() |> Ash.update!(actor: admin_user_with_role)
else else
member member
end end
@ -435,7 +449,7 @@ Enum.with_index(linked_members)
end) end)
# Create sample custom field values for some members # Create sample custom field values for some members
all_members = Ash.read!(Membership.Member) all_members = Ash.read!(Membership.Member, actor: admin_user_with_role)
all_custom_fields = Ash.read!(Membership.CustomField) all_custom_fields = Ash.read!(Membership.CustomField)
# Helper function to find custom field by name # Helper function to find custom field by name
@ -463,7 +477,11 @@ if hans = find_member.("hans.mueller@example.de") do
custom_field_id: field.id, custom_field_id: field.id,
value: value value: value
}) })
|> Ash.create!(upsert?: true, upsert_identity: :unique_custom_field_per_member) |> Ash.create!(
upsert?: true,
upsert_identity: :unique_custom_field_per_member,
actor: admin_user_with_role
)
end end
end) end)
end end
@ -488,7 +506,11 @@ if greta = find_member.("greta.schmidt@example.de") do
custom_field_id: field.id, custom_field_id: field.id,
value: value value: value
}) })
|> Ash.create!(upsert?: true, upsert_identity: :unique_custom_field_per_member) |> Ash.create!(
upsert?: true,
upsert_identity: :unique_custom_field_per_member,
actor: admin_user_with_role
)
end end
end) end)
end end
@ -514,7 +536,11 @@ if friedrich = find_member.("friedrich.wagner@example.de") do
custom_field_id: field.id, custom_field_id: field.id,
value: value value: value
}) })
|> Ash.create!(upsert?: true, upsert_identity: :unique_custom_field_per_member) |> Ash.create!(
upsert?: true,
upsert_identity: :unique_custom_field_per_member,
actor: admin_user_with_role
)
end end
end) end)
end end