Add role loading fallback to HasPermission check

Extract ash_resource? helper to reduce nesting depth. Add ensure_role_loaded fallback for unloaded actor roles.
2026-01-22 21:36:10 +01:00 · 2026-01-22 21:36:10 +01:00 · 7eb7149e18
commit 7eb7149e18
parent 298a13c2e4
2 changed files with 104 additions and 1 deletions
--- a/test/mv/authorization/checks/has_permission_test.exs
+++ b/test/mv/authorization/checks/has_permission_test.exs
@ -274,4 +274,44 @@ defmodule Mv.Authorization.Checks.HasPermissionTest do
      end
    end
  end
+
+  describe "strict_check/3 - Role Loading Fallback" do
+    test "returns false if role is NotLoaded and cannot be loaded" do
+      # Create actor with NotLoaded role
+      # In real scenario, ensure_role_loaded would attempt to load via Ash.load
+      # For this test, we use a simple map to verify the pattern matching works
+      actor = %{
+        id: "user-123",
+        role: %Ash.NotLoaded{}
+      }
+
+      authorizer = create_authorizer(Mv.Accounts.User, :read)
+
+      # Should handle NotLoaded pattern and return false
+      # (In real scenario, ensure_role_loaded would attempt to load, but for this test
+      # we just verify the pattern matching works correctly)
+      {:ok, result} = HasPermission.strict_check(actor, authorizer, [])
+      assert result == false
+    end
+
+    test "returns false if role is nil" do
+      actor = %{
+        id: "user-123",
+        role: nil
+      }
+
+      authorizer = create_authorizer(Mv.Accounts.User, :read)
+
+      {:ok, result} = HasPermission.strict_check(actor, authorizer, [])
+      assert result == false
+    end
+
+    test "works correctly when role is already loaded" do
+      actor = create_actor("user-123", "admin")
+      authorizer = create_authorizer(Mv.Accounts.User, :read)
+
+      {:ok, result} = HasPermission.strict_check(actor, authorizer, [])
+      assert result == true
+    end
+  end
 end