fix: add actor and domain parameters to user count functions

Add actor parameter to load_user_counts and recalculate_user_count in Index LiveView to ensure consistent authorization and policy enforcement. Also add domain parameter for clarity.
2026-01-08 14:09:27 +01:00 · 2026-01-08 14:09:27 +01:00 · 548bad6703
commit 548bad6703
parent 37a2fc3e83
1 changed files with 12 additions and 6 deletions
--- a/lib/mv_web/live/role_live/index.ex
+++ b/lib/mv_web/live/role_live/index.ex
@ -27,7 +27,7 @@ defmodule MvWeb.RoleLive.Index do
  def mount(_params, _session, socket) do
    actor = socket.assigns[:current_user]
    roles = load_roles(actor)
-    user_counts = load_user_counts(roles)
+    user_counts = load_user_counts(roles, actor)

    {:ok,
     socket
@ -71,7 +71,7 @@ defmodule MvWeb.RoleLive.Index do
         gettext("System roles cannot be deleted.")
       )}
    else
-      user_count = recalculate_user_count(role)
+      user_count = recalculate_user_count(role, socket.assigns.current_user)

      if user_count > 0 do
        {:noreply,
@ -123,16 +123,19 @@ defmodule MvWeb.RoleLive.Index do
  end

  # Loads all user counts for roles in a single query to avoid N+1 queries
-  defp load_user_counts(roles) do
+  defp load_user_counts(roles, actor) do
    role_ids = Enum.map(roles, & &1.id)

    # Load all users with role_id in a single query
+    opts = [domain: Mv.Accounts]
+    opts = if actor, do: Keyword.put(opts, :actor, actor), else: opts
+
    users =
      case Ash.read(
             Accounts.User
             |> Ash.Query.filter(role_id in ^role_ids)
             |> Ash.Query.select([:role_id]),
-             domain: Mv.Accounts
+             opts
           ) do
        {:ok, users_list} -> users_list
        {:error, _} -> []
@ -151,8 +154,11 @@ defmodule MvWeb.RoleLive.Index do
  end

  # Recalculates user count for a specific role (used before deletion)
-  defp recalculate_user_count(role) do
-    case Ash.count(Accounts.User |> Ash.Query.filter(role_id == ^role.id)) do
+  defp recalculate_user_count(role, actor) do
+    opts = [domain: Mv.Accounts]
+    opts = if actor, do: Keyword.put(opts, :actor, actor), else: opts
+
+    case Ash.count(Accounts.User |> Ash.Query.filter(role_id == ^role.id), opts) do
      {:ok, count} -> count
      _ -> 0
    end