local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 72 Pull requests 3 Projects 4 Releases Packages 1 Activity Actions

security: remove is_system_role from public API

Browse source 
Remove is_system_role from accept lists in create_role and update_role
actions. This field should only be set via seeds or internal actions to
prevent users from creating unkillable roles through the public API.
This commit is contained in:
Moritz 2026-01-06 19:04:03 +01:00
parent 73763b1f58
commit 5f13901ca5
4 changed files with 11 additions and 122 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/accounts/user.ex
View file

@ -17,6 +17,10 @@ defmodule Mv.Accounts.User do
# When a member is deleted, set the user's member_id to NULL
# This allows users to continue existing even if their linked member is removed
reference :member, on_delete: :nilify
# When a role is deleted, prevent deletion if users are assigned to it
# This protects critical roles from accidental deletion
reference :role, on_delete: :restrict
end
end

9
lib/mv/authorization/role.ex
View file

@ -61,14 +61,16 @@ defmodule Mv.Authorization.Role do
create :create_role do
primary? true
accept [:name, :description, :permission_set_name, :is_system_role]
# is_system_role is intentionally excluded - should only be set via seeds/internal actions
accept [:name, :description, :permission_set_name]
# Note: In Ash 3.0, require_atomic? is not available for create actions
# Custom validations will still work
end
update :update_role do
primary? true
accept [:name, :description, :permission_set_name, :is_system_role]
# is_system_role is intentionally excluded - should only be set via seeds/internal actions
accept [:name, :description, :permission_set_name]
# Required because custom validation functions cannot be executed atomically
require_atomic? false
end
@ -85,7 +87,8 @@ defmodule Mv.Authorization.Role do
Mv.Authorization.PermissionSets.all_permission_sets()
|> Enum.map(&Atom.to_string/1)
),
message: "must be one of: own_data, read_only, normal_user, admin"
message:
"must be one of: #{Mv.Authorization.PermissionSets.all_permission_sets() |> Enum.map_join(", ", &Atom.to_string/1)}"
validate fn changeset, _context ->
if changeset.data.is_system_role do