feat: add approval ui for join requests
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
50433e607f
commit
86d9242d83
GPG key ID:
40E7A58C4AA1EDB2
22 changed files with 1624 additions and 12 deletions
32
lib/mv/authorization/checks/has_join_request_access.ex
Normal file
32
lib/mv/authorization/checks/has_join_request_access.ex
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
defmodule Mv.Authorization.Checks.HasJoinRequestAccess do
|
||||
@moduledoc """
|
||||
Simple policy check: true when the actor's role has JoinRequest read/update permission.
|
||||
|
||||
Used for bypass policies on JoinRequest read actions. Uses SimpleCheck (not a filter-based
|
||||
check) so Ash does NOT call auto_filter, which would silently return an empty list for
|
||||
unauthorized actors instead of Forbidden.
|
||||
|
||||
Returns true for permission sets that grant JoinRequest read :all (normal_user, admin).
|
||||
Returns false for all others (own_data, read_only, nil actor).
|
||||
"""
|
||||
use Ash.Policy.SimpleCheck
|
||||
|
||||
alias Mv.Authorization.Actor
|
||||
alias Mv.Authorization.PermissionSets
|
||||
|
||||
@impl true
|
||||
def describe(_opts), do: "actor has JoinRequest read/update access (normal_user or admin)"
|
||||
|
||||
@impl true
|
||||
def match?(actor, _context, _opts) do
|
||||
with ps_name when not is_nil(ps_name) <- Actor.permission_set_name(actor),
|
||||
{:ok, ps_atom} <- PermissionSets.permission_set_name_to_atom(ps_name),
|
||||
permissions <- PermissionSets.get_permissions(ps_atom) do
|
||||
Enum.any?(permissions.resources, fn p ->
|
||||
p.resource == "JoinRequest" and p.action == :read and p.granted
|
||||
end)
|
||||
else
|
||||
_ -> false
|
||||
end
|
||||
end
|
||||
end
|
||||
Loading…
Add table
Add a link
Reference in a new issue