Add resource policies for Group, MemberGroup, MembershipFeeType, MembershipFeeCycle

- Group/MemberGroup/MembershipFeeType/MembershipFeeCycle: HasPermission policy - normal_user: Group and MembershipFeeCycle create/update/destroy; pages /groups/new, /groups/:slug/edit - Add policy tests for all four resources
2026-02-03 23:52:12 +01:00 · 2026-02-03 23:52:12 +01:00 · 5889683854
commit 5889683854
parent 893f9453bd
8 changed files with 1081 additions and 12 deletions
--- a/lib/membership/group.ex
+++ b/lib/membership/group.ex
@ -36,7 +36,8 @@ defmodule Mv.Membership.Group do
  """
  use Ash.Resource,
    domain: Mv.Membership,
-    data_layer: AshPostgres.DataLayer
+    data_layer: AshPostgres.DataLayer,
+    authorizers: [Ash.Policy.Authorizer]

  require Ash.Query
  alias Mv.Helpers
@ -63,6 +64,13 @@ defmodule Mv.Membership.Group do
    end
  end

+  policies do
+    policy action_type([:read, :create, :update, :destroy]) do
+      description "Check permissions from role (all can read; normal_user and admin can create/update/destroy)"
+      authorize_if Mv.Authorization.Checks.HasPermission
+    end
+  end
+
  validations do
    validate present(:name)

@ -136,7 +144,7 @@ defmodule Mv.Membership.Group do
    query =
      Mv.Membership.Group
      |> Ash.Query.filter(fragment("LOWER(?) = LOWER(?)", name, ^name))
-      |> maybe_exclude_id(exclude_id)
+      |> Helpers.query_exclude_id(exclude_id)

    opts = Helpers.ash_actor_opts(actor)

@ -155,7 +163,4 @@ defmodule Mv.Membership.Group do
        :ok
    end
  end
-
-  defp maybe_exclude_id(query, nil), do: query
-  defp maybe_exclude_id(query, id), do: Ash.Query.filter(query, id != ^id)
 end
--- a/lib/membership/member_group.ex
+++ b/lib/membership/member_group.ex
@ -39,8 +39,10 @@ defmodule Mv.Membership.MemberGroup do
  """
  use Ash.Resource,
    domain: Mv.Membership,
-    data_layer: AshPostgres.DataLayer
+    data_layer: AshPostgres.DataLayer,
+    authorizers: [Ash.Policy.Authorizer]

+  import Ash.Expr
  require Ash.Query

  postgres do
@ -56,6 +58,26 @@ defmodule Mv.Membership.MemberGroup do
    end
  end

+  # Authorization: read uses bypass for :linked (own_data list) then HasPermission for :all;
+  # create/destroy use HasPermission (normal_user + admin only).
+  # Order: bypass first so own_data gets expr filter; HasPermission then authorizes :all for others.
+  policies do
+    bypass action_type(:read) do
+      description "own_data: read only member_groups where member_id == actor.member_id"
+      authorize_if expr(member_id == ^actor(:member_id))
+    end
+
+    policy action_type(:read) do
+      description "Check read permission from role (read_only/normal_user/admin :all)"
+      authorize_if Mv.Authorization.Checks.HasPermission
+    end
+
+    policy action_type([:create, :destroy]) do
+      description "Check create/destroy from role (normal_user + admin only)"
+      authorize_if Mv.Authorization.Checks.HasPermission
+    end
+  end
+
  validations do
    validate present(:member_id)
    validate present(:group_id)
@ -118,7 +140,7 @@ defmodule Mv.Membership.MemberGroup do
    query =
      Mv.Membership.MemberGroup
      |> Ash.Query.filter(member_id == ^member_id and group_id == ^group_id)
-      |> maybe_exclude_id(exclude_id)
+      |> Helpers.query_exclude_id(exclude_id)

    opts = Helpers.ash_actor_opts(actor)

@ -135,7 +157,4 @@ defmodule Mv.Membership.MemberGroup do
        :ok
    end
  end
-
-  defp maybe_exclude_id(query, nil), do: query
-  defp maybe_exclude_id(query, id), do: Ash.Query.filter(query, id != ^id)
 end
--- a/lib/membership_fees/membership_fee_cycle.ex
+++ b/lib/membership_fees/membership_fee_cycle.ex
@ -28,7 +28,8 @@ defmodule Mv.MembershipFees.MembershipFeeCycle do
  """
  use Ash.Resource,
    domain: Mv.MembershipFees,
-    data_layer: AshPostgres.DataLayer
+    data_layer: AshPostgres.DataLayer,
+    authorizers: [Ash.Policy.Authorizer]

  postgres do
    table "membership_fee_cycles"
@ -83,6 +84,13 @@ defmodule Mv.MembershipFees.MembershipFeeCycle do
    end
  end

+  policies do
+    policy action_type([:read, :create, :update, :destroy]) do
+      description "Check permissions from role (all read; normal_user and admin create/update/destroy)"
+      authorize_if Mv.Authorization.Checks.HasPermission
+    end
+  end
+
  attributes do
    uuid_v7_primary_key :id

--- a/lib/membership_fees/membership_fee_type.ex
+++ b/lib/membership_fees/membership_fee_type.ex
@ -24,7 +24,8 @@ defmodule Mv.MembershipFees.MembershipFeeType do
  """
  use Ash.Resource,
    domain: Mv.MembershipFees,
-    data_layer: AshPostgres.DataLayer
+    data_layer: AshPostgres.DataLayer,
+    authorizers: [Ash.Policy.Authorizer]

  postgres do
    table "membership_fee_types"
@ -61,6 +62,13 @@ defmodule Mv.MembershipFees.MembershipFeeType do
    end
  end

+  policies do
+    policy action_type([:read, :create, :update, :destroy]) do
+      description "Check permissions from role (all can read, only admin can create/update/destroy)"
+      authorize_if Mv.Authorization.Checks.HasPermission
+    end
+  end
+
  validations do
    # Prevent interval changes after creation
    validate fn changeset, _context ->