security: remove is_system_role from public API

Remove is_system_role from accept lists in create_role and update_role actions. This field should only be set via seeds or internal actions to prevent users from creating unkillable roles through the public API.
2026-01-06 19:04:03 +01:00 · 2026-01-06 19:04:03 +01:00 · 5f13901ca5
commit 5f13901ca5
parent 73763b1f58
4 changed files with 11 additions and 122 deletions
--- a/lib/mv/authorization/role.ex
+++ b/lib/mv/authorization/role.ex
@ -61,14 +61,16 @@ defmodule Mv.Authorization.Role do

    create :create_role do
      primary? true
-      accept [:name, :description, :permission_set_name, :is_system_role]
+      # is_system_role is intentionally excluded - should only be set via seeds/internal actions
+      accept [:name, :description, :permission_set_name]
      # Note: In Ash 3.0, require_atomic? is not available for create actions
      # Custom validations will still work
    end

    update :update_role do
      primary? true
-      accept [:name, :description, :permission_set_name, :is_system_role]
+      # is_system_role is intentionally excluded - should only be set via seeds/internal actions
+      accept [:name, :description, :permission_set_name]
      # Required because custom validation functions cannot be executed atomically
      require_atomic? false
    end
@ -85,7 +87,8 @@ defmodule Mv.Authorization.Role do
               Mv.Authorization.PermissionSets.all_permission_sets()
               |> Enum.map(&Atom.to_string/1)
             ),
-             message: "must be one of: own_data, read_only, normal_user, admin"
+             message:
+               "must be one of: #{Mv.Authorization.PermissionSets.all_permission_sets() |> Enum.map_join(", ", &Atom.to_string/1)}"

    validate fn changeset, _context ->
               if changeset.data.is_system_role do