Merge branch 'main' into feature/371-groups-resource

lib/membership/custom_field_value.ex

@@ -39,7 +39,10 @@ defmodule Mv.Membership.CustomFieldValue do
   """
   use Ash.Resource,
     domain: Mv.Membership,
-    data_layer: AshPostgres.DataLayer
+    data_layer: AshPostgres.DataLayer,
+    authorizers: [Ash.Policy.Authorizer]
+
+  import Ash.Expr
 
   postgres do
     table "custom_field_values"
@@ -62,6 +65,36 @@ defmodule Mv.Membership.CustomFieldValue do
     end
   end
 
+  # Authorization Policies
+  # Order matters: Most specific policies first, then general permission check
+  # Pattern aligns with User and Member resources (bypass for READ, HasPermission for update/destroy)
+  # Create uses CustomFieldValueCreateScope because Ash cannot apply filters to create actions.
+  policies do
+    # SPECIAL CASE: Users can READ custom field values of their linked member
+    # Bypass needed for list queries (expr triggers auto_filter in Ash)
+    bypass action_type(:read) do
+      description "Users can read custom field values of their linked member"
+      authorize_if expr(member_id == ^actor(:member_id))
+    end
+
+    # CREATE: CustomFieldValueCreateScope (no filter; Ash rejects filters on create)
+    # - :own_data -> create allowed when member_id == actor.member_id (scope :linked)
+    # - :read_only -> no create permission
+    # - :normal_user / :admin -> create allowed (scope :all)
+    policy action_type(:create) do
+      description "CustomFieldValue create allowed by permission set scope"
+      authorize_if Mv.Authorization.Checks.CustomFieldValueCreateScope
+    end
+
+    # READ/UPDATE/DESTROY: HasPermission (scope :linked / :all)
+    policy action_type([:read, :update, :destroy]) do
+      description "Check permissions from user's role and permission set"
+      authorize_if Mv.Authorization.Checks.HasPermission
+    end
+
+    # DEFAULT: Ash implicitly forbids if no policy authorized (fail-closed)
+  end
+
   attributes do
     uuid_primary_key :id
 

lib/mv/authorization/checks/custom_field_value_create_scope.ex

@@ -0,0 +1,71 @@
+defmodule Mv.Authorization.Checks.CustomFieldValueCreateScope do
+  @moduledoc """
+  Policy check for CustomFieldValue create actions only.
+
+  Use this for create instead of HasPermission because Ash cannot apply
+  filters to create actions ("Cannot use a filter to authorize a create").
+  This check performs the same scope logic as HasPermission for create
+  (PermissionSets + :linked/:all) but only implements strict_check, so it
+  never adds a filter.
+
+  ## member_id source
+
+  The check reads `member_id` from the create changeset via
+  `Ash.Changeset.get_argument_or_attribute/2`, so it works when member_id
+  is set as an attribute or as an action argument. The CustomFieldValue
+  resource's default create action must accept and require `member_id`
+  (e.g. via `default_accept [:value, :member_id, :custom_field_id]`).
+
+  Used in CustomFieldValue policies:
+    policy action_type(:create) do
+      authorize_if Mv.Authorization.Checks.CustomFieldValueCreateScope
+    end
+  """
+  use Ash.Policy.Check
+  alias Mv.Authorization.PermissionSets
+
+  @impl true
+  def describe(_opts),
+    do: "CustomFieldValue create allowed by permission set scope (:linked or :all)"
+
+  @impl true
+  def strict_check(actor, authorizer, _opts) do
+    actor = ensure_role_loaded(actor)
+
+    with %{role: %{permission_set_name: ps_name}} when not is_nil(ps_name) <- actor,
+         {:ok, ps_atom} <- PermissionSets.permission_set_name_to_atom(ps_name),
+         permissions <- PermissionSets.get_permissions(ps_atom),
+         perm <- find_custom_field_value_create(permissions.resources) do
+      case perm do
+        nil -> {:ok, false}
+        %{scope: :all} -> {:ok, true}
+        %{scope: :linked} -> {:ok, member_id_matches?(authorizer, actor)}
+      end
+    else
+      _ -> {:ok, false}
+    end
+  end
+
+  defp find_custom_field_value_create(resources) do
+    Enum.find(resources, fn p ->
+      p.resource == "CustomFieldValue" and p.action == :create and p.granted
+    end)
+  end
+
+  defp member_id_matches?(authorizer, actor) do
+    member_id = get_create_member_id(authorizer)
+    !is_nil(member_id) and member_id == actor.member_id
+  end
+
+  defp get_create_member_id(authorizer) do
+    changeset = authorizer.changeset || authorizer.subject
+
+    if changeset && function_exported?(Ash.Changeset, :get_argument_or_attribute, 2) do
+      Ash.Changeset.get_argument_or_attribute(changeset, :member_id)
+    else
+      nil
+    end
+  end
+
+  defp ensure_role_loaded(actor), do: Mv.Authorization.Actor.ensure_loaded(actor)
+end

lib/mv/authorization/checks/has_permission.ex

@@ -148,6 +148,7 @@ defmodule Mv.Authorization.Checks.HasPermission do
           else
             # No record yet (e.g., read/list queries) - deny at strict_check level
             # Resources must use expr-based bypass policies for list filtering
+            # Create: use a dedicated check that does not return a filter (e.g. CustomFieldValueCreateScope)
             {:ok, false}
           end
 
@@ -213,7 +214,7 @@ defmodule Mv.Authorization.Checks.HasPermission do
 
         {:filter, filter_expr} ->
           # :linked or :own scope - apply filter
-          # filter_expr is a keyword list from expr(...), return it directly
+          # Create actions must not use HasPermission (use a dedicated check, e.g. CustomFieldValueCreateScope)
           filter_expr
 
         false ->

lib/mv/authorization/permission_sets.ex

@@ -105,9 +105,11 @@ defmodule Mv.Authorization.PermissionSets do
         %{resource: "Member", action: :read, scope: :linked, granted: true},
         %{resource: "Member", action: :update, scope: :linked, granted: true},
 
-        # CustomFieldValue: Can read/update custom field values of linked member
+        # CustomFieldValue: Can read/update/create/destroy custom field values of linked member
         %{resource: "CustomFieldValue", action: :read, scope: :linked, granted: true},
         %{resource: "CustomFieldValue", action: :update, scope: :linked, granted: true},
+        %{resource: "CustomFieldValue", action: :create, scope: :linked, granted: true},
+        %{resource: "CustomFieldValue", action: :destroy, scope: :linked, granted: true},
 
         # CustomField: Can read all (needed for forms)
         %{resource: "CustomField", action: :read, scope: :all, granted: true}