feat: add approval ui for join requests

2026-03-11 02:04:03 +01:00 · 2026-03-11 02:04:03 +01:00 · 86d9242d83
commit 86d9242d83
parent 50433e607f
22 changed files with 1624 additions and 12 deletions
--- a/lib/mv/authorization/checks/has_join_request_access.ex
+++ b/lib/mv/authorization/checks/has_join_request_access.ex
@ -0,0 +1,32 @@
+defmodule Mv.Authorization.Checks.HasJoinRequestAccess do
+  @moduledoc """
+  Simple policy check: true when the actor's role has JoinRequest read/update permission.
+
+  Used for bypass policies on JoinRequest read actions. Uses SimpleCheck (not a filter-based
+  check) so Ash does NOT call auto_filter, which would silently return an empty list for
+  unauthorized actors instead of Forbidden.
+
+  Returns true for permission sets that grant JoinRequest read :all (normal_user, admin).
+  Returns false for all others (own_data, read_only, nil actor).
+  """
+  use Ash.Policy.SimpleCheck
+
+  alias Mv.Authorization.Actor
+  alias Mv.Authorization.PermissionSets
+
+  @impl true
+  def describe(_opts), do: "actor has JoinRequest read/update access (normal_user or admin)"
+
+  @impl true
+  def match?(actor, _context, _opts) do
+    with ps_name when not is_nil(ps_name) <- Actor.permission_set_name(actor),
+         {:ok, ps_atom} <- PermissionSets.permission_set_name_to_atom(ps_name),
+         permissions <- PermissionSets.get_permissions(ps_atom) do
+      Enum.any?(permissions.resources, fn p ->
+        p.resource == "JoinRequest" and p.action == :read and p.granted
+      end)
+    else
+      _ -> false
+    end
+  end
+end
--- a/lib/mv/authorization/permission_sets.ex
+++ b/lib/mv/authorization/permission_sets.ex
@ -218,7 +218,11 @@ defmodule Mv.Authorization.PermissionSets do
            perm("MembershipFeeCycle", :update, :all),
            perm("MembershipFeeCycle", :destroy, :all)
          ] ++
-          role_read_all(),
+          role_read_all() ++
+          [
+            perm("JoinRequest", :read, :all),
+            perm("JoinRequest", :update, :all)
+          ],
      pages: [
        "/",
        # Own profile (sidebar links to /users/:id; redirect target must be allowed)
@ -247,7 +251,10 @@ defmodule Mv.Authorization.PermissionSets do
        # Edit group
        "/groups/:slug/edit",
        # Statistics
-        "/statistics"
+        "/statistics",
+        # Approval UI (Step 2)
+        "/join_requests",
+        "/join_requests/:id"
      ]
    }
  end
@ -270,7 +277,8 @@ defmodule Mv.Authorization.PermissionSets do
          perm_all("Group") ++
          member_group_perms ++
          perm_all("MembershipFeeType") ++
-          perm_all("MembershipFeeCycle"),
+          perm_all("MembershipFeeCycle") ++
+          perm_all("JoinRequest"),
      pages: [
        # Explicit admin-only pages (for clarity and future restrictions)
        "/settings",