From 626e8a872e4c638d63a30fe2361ba92e380ae7e6 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Thu, 29 Jan 2026 23:56:03 +0100
Subject: [PATCH] feat: restrict own_data to profile and linked member pages

- Remove "/" from own_data pages (Mitglied redirected to profile at root).
- Add /users/:id, /users/:id/edit, /users/:id/show/edit and member edit pages
  for own_data so members can access own profile and linked member only.
---
 lib/mv/authorization/permission_sets.ex | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/lib/mv/authorization/permission_sets.ex b/lib/mv/authorization/permission_sets.ex
index 1d5c87b..200a0dd 100644
--- a/lib/mv/authorization/permission_sets.ex
+++ b/lib/mv/authorization/permission_sets.ex
@@ -118,12 +118,16 @@ defmodule Mv.Authorization.PermissionSets do
         %{resource: "Group", action: :read, scope: :all, granted: true}
       ],
       pages: [
-        # Home page
-        "/",
-        # Own profile
+        # No "/" - Mitglied must not see member index at root (same content as /members).
+        # Own profile (sidebar links to /users/:id) and own user edit
         "/profile",
-        # Linked member detail (filtered by policy)
-        "/members/:id"
+        "/users/:id",
+        "/users/:id/edit",
+        "/users/:id/show/edit",
+        # Linked member detail and edit (data access filtered by policy scope: :linked)
+        "/members/:id",
+        "/members/:id/edit",
+        "/members/:id/show/edit"
       ]
     }
   end