local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Setting: remove unused actor in default_fee_type validation

Browse source 
- Docs: Regenerate Cycles server-side enforcement note in membership-fee-architecture.
This commit is contained in:
Moritz 2026-02-04 11:40:19 +01:00
parent d7c6d20483
commit 503401f2e6
2 changed files with 1 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/membership-fee-architecture.md
View file

@ -340,7 +340,7 @@ lib/
- **MembershipFeeType:** All permission sets can read (:all); only admin has create/update/destroy (:all). - **MembershipFeeType:** All permission sets can read (:all); only admin has create/update/destroy (:all).
- **MembershipFeeCycle:** All can read (:all); read_only has read only; normal_user and admin have read + create + update + destroy (:all). - **MembershipFeeCycle:** All can read (:all); read_only has read only; normal_user and admin have read + create + update + destroy (:all).
- **Manual "Regenerate Cycles" (UI):** The "Regenerate Cycles" button in the member detail view is shown to users who have MembershipFeeCycle create permission (normal_user and admin). Regeneration runs with system actor; UI access is gated by `can_create_cycle`. - **Manual "Regenerate Cycles" (UI + server):** The "Regenerate Cycles" button in the member detail view is shown to users who have MembershipFeeCycle create permission (normal_user and admin). UI access is gated by `can_create_cycle`. The LiveView handler also enforces `can?(:create, MembershipFeeCycle)` server-side before running regeneration (so e.g. a read_only user cannot trigger it via DevTools). Regeneration runs with system actor.
**Resource Policies:** **Resource Policies:**

8
lib/membership/setting.ex
View file

@ -160,14 +160,6 @@ defmodule Mv.Membership.Setting do
Ash.Changeset.get_attribute(changeset, :default_membership_fee_type_id) Ash.Changeset.get_attribute(changeset, :default_membership_fee_type_id)
if fee_type_id do if fee_type_id do
# Actor may be in changeset.context (action context) or validation context
ctx = changeset.context || %{}
actor =
get_in(ctx, [:private, :actor]) ||
Map.get(ctx, :actor) ||
(context && Map.get(context, :actor))
# Check existence only; action is already restricted by policy (e.g. admin). # Check existence only; action is already restricted by policy (e.g. admin).
opts = [domain: Mv.MembershipFees, authorize?: false] opts = [domain: Mv.MembershipFees, authorize?: false]