Merge branch 'main' into feature/filter-boolean-custom-fields
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
commit
672b4a8250
GPG key ID:
40E7A58C4AA1EDB2
45 changed files with 3166 additions and 359 deletions
|
|
@ -20,10 +20,13 @@ defmodule MvWeb.LinkOidcAccountLive do
|
|||
|
||||
@impl true
|
||||
def mount(_params, session, socket) do
|
||||
# Use SystemActor for authorization during OIDC linking (user is not yet logged in)
|
||||
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||
|
||||
with user_id when not is_nil(user_id) <- Map.get(session, "oidc_linking_user_id"),
|
||||
oidc_user_info when not is_nil(oidc_user_info) <-
|
||||
Map.get(session, "oidc_linking_user_info"),
|
||||
{:ok, user} <- Ash.get(Mv.Accounts.User, user_id) do
|
||||
{:ok, user} <- Ash.get(Mv.Accounts.User, user_id, actor: system_actor) do
|
||||
# Check if user is passwordless
|
||||
if passwordless?(user) do
|
||||
# Auto-link passwordless user immediately
|
||||
|
|
@ -46,9 +49,12 @@ defmodule MvWeb.LinkOidcAccountLive do
|
|||
end
|
||||
|
||||
defp reload_user!(user_id) do
|
||||
# Use SystemActor for authorization during OIDC linking (user is not yet logged in)
|
||||
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||
|
||||
Mv.Accounts.User
|
||||
|> Ash.Query.filter(id == ^user_id)
|
||||
|> Ash.read_one!()
|
||||
|> Ash.read_one!(actor: system_actor)
|
||||
end
|
||||
|
||||
defp reset_password_form(socket) do
|
||||
|
|
@ -58,13 +64,16 @@ defmodule MvWeb.LinkOidcAccountLive do
|
|||
defp auto_link_passwordless_user(socket, user, oidc_user_info) do
|
||||
oidc_id = Map.get(oidc_user_info, "sub") || Map.get(oidc_user_info, "id")
|
||||
|
||||
# Use SystemActor for authorization (passwordless user auto-linking)
|
||||
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||
|
||||
case user.id
|
||||
|> reload_user!()
|
||||
|> Ash.Changeset.for_update(:link_oidc_id, %{
|
||||
oidc_id: oidc_id,
|
||||
oidc_user_info: oidc_user_info
|
||||
})
|
||||
|> Ash.update() do
|
||||
|> Ash.update(actor: system_actor) do
|
||||
{:ok, updated_user} ->
|
||||
Logger.info(
|
||||
"Passwordless account auto-linked to OIDC: user_id=#{updated_user.id}, oidc_id=#{oidc_id}"
|
||||
|
|
@ -187,6 +196,9 @@ defmodule MvWeb.LinkOidcAccountLive do
|
|||
defp link_oidc_account(socket, user, oidc_user_info) do
|
||||
oidc_id = Map.get(oidc_user_info, "sub") || Map.get(oidc_user_info, "id")
|
||||
|
||||
# Use SystemActor for authorization (user just verified password but is not yet logged in)
|
||||
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||
|
||||
# Update the user with the OIDC ID
|
||||
case user.id
|
||||
|> reload_user!()
|
||||
|
|
@ -194,7 +206,7 @@ defmodule MvWeb.LinkOidcAccountLive do
|
|||
oidc_id: oidc_id,
|
||||
oidc_user_info: oidc_user_info
|
||||
})
|
||||
|> Ash.update() do
|
||||
|> Ash.update(actor: system_actor) do
|
||||
{:ok, updated_user} ->
|
||||
# After successful linking, redirect to OIDC login
|
||||
# Since the user now has an oidc_id, the next OIDC login will succeed
|
||||
|
|
|
|||
|
|
@ -21,8 +21,6 @@ defmodule MvWeb.MemberLive.Form do
|
|||
"""
|
||||
use MvWeb, :live_view
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
|
||||
import MvWeb.LiveHelpers, only: [current_actor: 1, submit_form: 3]
|
||||
|
||||
alias Mv.MembershipFees
|
||||
|
|
|
|||
|
|
@ -27,8 +27,6 @@ defmodule MvWeb.MemberLive.Index do
|
|||
"""
|
||||
use MvWeb, :live_view
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
|
||||
require Ash.Query
|
||||
require Logger
|
||||
import Ash.Expr
|
||||
|
|
|
|||
|
|
@ -22,8 +22,6 @@ defmodule MvWeb.MemberLive.Show do
|
|||
import Ash.Query
|
||||
import MvWeb.LiveHelpers, only: [current_actor: 1]
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
|
||||
alias MvWeb.Helpers.MembershipFeeHelpers
|
||||
|
||||
@impl true
|
||||
|
|
|
|||
|
|
@ -554,46 +554,55 @@ defmodule MvWeb.MemberLive.Show.MembershipFeesComponent do
|
|||
end
|
||||
|
||||
def handle_event("regenerate_cycles", _params, socket) do
|
||||
socket = assign(socket, :regenerating, true)
|
||||
member = socket.assigns.member
|
||||
actor = current_actor(socket)
|
||||
|
||||
case CycleGenerator.generate_cycles_for_member(member.id, actor: actor) do
|
||||
{:ok, _new_cycles, _notifications} ->
|
||||
# Reload member with cycles
|
||||
actor = current_actor(socket)
|
||||
# SECURITY: Only admins can manually regenerate cycles via UI
|
||||
# Cycle generation itself uses system actor, but UI access should be restricted
|
||||
if actor.role && actor.role.permission_set_name == "admin" do
|
||||
socket = assign(socket, :regenerating, true)
|
||||
member = socket.assigns.member
|
||||
|
||||
updated_member =
|
||||
member
|
||||
|> Ash.load!(
|
||||
[
|
||||
:membership_fee_type,
|
||||
membership_fee_cycles: [:membership_fee_type]
|
||||
],
|
||||
actor: actor
|
||||
)
|
||||
case CycleGenerator.generate_cycles_for_member(member.id) do
|
||||
{:ok, _new_cycles, _notifications} ->
|
||||
# Reload member with cycles
|
||||
actor = current_actor(socket)
|
||||
|
||||
cycles =
|
||||
Enum.sort_by(
|
||||
updated_member.membership_fee_cycles || [],
|
||||
& &1.cycle_start,
|
||||
{:desc, Date}
|
||||
)
|
||||
updated_member =
|
||||
member
|
||||
|> Ash.load!(
|
||||
[
|
||||
:membership_fee_type,
|
||||
membership_fee_cycles: [:membership_fee_type]
|
||||
],
|
||||
actor: actor
|
||||
)
|
||||
|
||||
send(self(), {:member_updated, updated_member})
|
||||
cycles =
|
||||
Enum.sort_by(
|
||||
updated_member.membership_fee_cycles || [],
|
||||
& &1.cycle_start,
|
||||
{:desc, Date}
|
||||
)
|
||||
|
||||
{:noreply,
|
||||
socket
|
||||
|> assign(:member, updated_member)
|
||||
|> assign(:cycles, cycles)
|
||||
|> assign(:regenerating, false)
|
||||
|> put_flash(:info, gettext("Cycles regenerated successfully"))}
|
||||
send(self(), {:member_updated, updated_member})
|
||||
|
||||
{:error, error} ->
|
||||
{:noreply,
|
||||
socket
|
||||
|> assign(:regenerating, false)
|
||||
|> put_flash(:error, format_error(error))}
|
||||
{:noreply,
|
||||
socket
|
||||
|> assign(:member, updated_member)
|
||||
|> assign(:cycles, cycles)
|
||||
|> assign(:regenerating, false)
|
||||
|> put_flash(:info, gettext("Cycles regenerated successfully"))}
|
||||
|
||||
{:error, error} ->
|
||||
{:noreply,
|
||||
socket
|
||||
|> assign(:regenerating, false)
|
||||
|> put_flash(:error, format_error(error))}
|
||||
end
|
||||
else
|
||||
{:noreply,
|
||||
socket
|
||||
|> put_flash(:error, gettext("Only administrators can regenerate cycles"))}
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ defmodule MvWeb.MembershipFeeTypeLive.Form do
|
|||
"""
|
||||
use MvWeb, :live_view
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
import MvWeb.LiveHelpers, only: [current_actor: 1, submit_form: 3]
|
||||
|
||||
require Ash.Query
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ defmodule MvWeb.MembershipFeeTypeLive.Index do
|
|||
"""
|
||||
use MvWeb, :live_view
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
import MvWeb.LiveHelpers, only: [current_actor: 1]
|
||||
|
||||
require Ash.Query
|
||||
|
|
|
|||
|
|
@ -17,8 +17,6 @@ defmodule MvWeb.RoleLive.Form do
|
|||
|
||||
import MvWeb.RoleLive.Helpers, only: [format_error: 1]
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
|
||||
@impl true
|
||||
def render(assigns) do
|
||||
~H"""
|
||||
|
|
|
|||
|
|
@ -24,8 +24,6 @@ defmodule MvWeb.RoleLive.Index do
|
|||
import MvWeb.RoleLive.Helpers,
|
||||
only: [format_error: 1, permission_set_badge_class: 1, opts_with_actor: 3]
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
|
||||
@impl true
|
||||
def mount(_params, _session, socket) do
|
||||
actor = socket.assigns[:current_user]
|
||||
|
|
|
|||
|
|
@ -19,8 +19,6 @@ defmodule MvWeb.RoleLive.Show do
|
|||
import MvWeb.RoleLive.Helpers,
|
||||
only: [format_error: 1, permission_set_badge_class: 1, opts_with_actor: 3]
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
|
||||
@impl true
|
||||
def mount(%{"id" => id}, _session, socket) do
|
||||
try do
|
||||
|
|
|
|||
|
|
@ -33,7 +33,6 @@ defmodule MvWeb.UserLive.Form do
|
|||
"""
|
||||
use MvWeb, :live_view
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
import MvWeb.LiveHelpers, only: [current_actor: 1, submit_form: 3]
|
||||
|
||||
@impl true
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ defmodule MvWeb.UserLive.Index do
|
|||
use MvWeb, :live_view
|
||||
import MvWeb.TableComponents
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
import MvWeb.LiveHelpers, only: [current_actor: 1]
|
||||
|
||||
@impl true
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@ defmodule MvWeb.UserLive.Show do
|
|||
"""
|
||||
use MvWeb, :live_view
|
||||
|
||||
on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
|
||||
import MvWeb.LiveHelpers, only: [current_actor: 1]
|
||||
|
||||
@impl true
|
||||
|
|
|
|||
|
|
@ -27,39 +27,17 @@ defmodule MvWeb.LiveHelpers do
|
|||
end
|
||||
|
||||
defp ensure_user_role_loaded(socket) do
|
||||
if socket.assigns[:current_user] do
|
||||
user = socket.assigns.current_user
|
||||
user_with_role = load_user_role(user)
|
||||
user = socket.assigns[:current_user]
|
||||
|
||||
if user do
|
||||
# Use centralized Actor helper to ensure role is loaded
|
||||
user_with_role = Mv.Authorization.Actor.ensure_loaded(user)
|
||||
assign(socket, :current_user, user_with_role)
|
||||
else
|
||||
socket
|
||||
end
|
||||
end
|
||||
|
||||
defp load_user_role(user) do
|
||||
case Map.get(user, :role) do
|
||||
%Ash.NotLoaded{} -> load_role_safely(user)
|
||||
nil -> load_role_safely(user)
|
||||
_role -> user
|
||||
end
|
||||
end
|
||||
|
||||
defp load_role_safely(user) do
|
||||
# Use self as actor for loading own role relationship
|
||||
opts = [domain: Mv.Accounts, actor: user]
|
||||
|
||||
case Ash.load(user, :role, opts) do
|
||||
{:ok, loaded_user} ->
|
||||
loaded_user
|
||||
|
||||
{:error, error} ->
|
||||
# Log warning if role loading fails - this can cause authorization issues
|
||||
require Logger
|
||||
Logger.warning("Failed to load role for user #{user.id}: #{inspect(error)}")
|
||||
user
|
||||
end
|
||||
end
|
||||
|
||||
@doc """
|
||||
Helper function to get the current actor (user) from socket assigns.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue