Add PermissionSets for Group, MemberGroup, MembershipFeeType, MembershipFeeCycle

- Extend permission_sets.ex with resources and pages for new domains - Adjust HasPermission check for resource/action/scope - Update roles-and-permissions and implementation-plan docs - Add permission_sets_test.exs coverage
2026-02-03 23:52:09 +01:00 · 2026-02-03 23:52:09 +01:00 · 893f9453bd
commit 893f9453bd
parent 36b7031dca
5 changed files with 449 additions and 113 deletions
--- a/test/mv/authorization/permission_sets_test.exs
+++ b/test/mv/authorization/permission_sets_test.exs
@ -496,6 +496,277 @@ defmodule Mv.Authorization.PermissionSetsTest do

      assert "*" in permissions.pages
    end
+
+    test "admin pages include explicit /settings and /membership_fee_settings" do
+      permissions = PermissionSets.get_permissions(:admin)
+
+      assert "/settings" in permissions.pages
+      assert "/membership_fee_settings" in permissions.pages
+    end
+  end
+
+  describe "get_permissions/1 - MemberGroup resource" do
+    test "own_data has MemberGroup read with scope :linked only" do
+      permissions = PermissionSets.get_permissions(:own_data)
+
+      mg_read =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :read
+        end)
+
+      mg_create =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :create
+        end)
+
+      assert mg_read != nil
+      assert mg_read.scope == :linked
+      assert mg_read.granted == true
+      assert mg_create == nil || mg_create.granted == false
+    end
+
+    test "read_only has MemberGroup read with scope :all, no create/destroy" do
+      permissions = PermissionSets.get_permissions(:read_only)
+
+      mg_read =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :read
+        end)
+
+      mg_create =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :create
+        end)
+
+      mg_destroy =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :destroy
+        end)
+
+      assert mg_read != nil
+      assert mg_read.scope == :all
+      assert mg_read.granted == true
+      assert mg_create == nil || mg_create.granted == false
+      assert mg_destroy == nil || mg_destroy.granted == false
+    end
+
+    test "normal_user has MemberGroup read/create/destroy with scope :all" do
+      permissions = PermissionSets.get_permissions(:normal_user)
+
+      mg_read =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :read
+        end)
+
+      mg_create =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :create
+        end)
+
+      mg_destroy =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :destroy
+        end)
+
+      assert mg_read != nil
+      assert mg_read.scope == :all
+      assert mg_read.granted == true
+      assert mg_create != nil
+      assert mg_create.scope == :all
+      assert mg_create.granted == true
+      assert mg_destroy != nil
+      assert mg_destroy.scope == :all
+      assert mg_destroy.granted == true
+    end
+
+    test "admin has MemberGroup read/create/destroy with scope :all" do
+      permissions = PermissionSets.get_permissions(:admin)
+
+      mg_read =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :read
+        end)
+
+      mg_create =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :create
+        end)
+
+      mg_destroy =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MemberGroup" && p.action == :destroy
+        end)
+
+      assert mg_read != nil
+      assert mg_read.scope == :all
+      assert mg_read.granted == true
+      assert mg_create != nil
+      assert mg_create.granted == true
+      assert mg_destroy != nil
+      assert mg_destroy.granted == true
+    end
+  end
+
+  describe "get_permissions/1 - MembershipFeeType resource" do
+    test "all permission sets have MembershipFeeType read with scope :all" do
+      for set <- PermissionSets.all_permission_sets() do
+        permissions = PermissionSets.get_permissions(set)
+
+        mft_read =
+          Enum.find(permissions.resources, fn p ->
+            p.resource == "MembershipFeeType" && p.action == :read
+          end)
+
+        assert mft_read != nil, "Permission set #{set} should have MembershipFeeType read"
+        assert mft_read.scope == :all
+        assert mft_read.granted == true
+      end
+    end
+
+    test "only admin has MembershipFeeType create/update/destroy" do
+      for set <- [:own_data, :read_only, :normal_user] do
+        permissions = PermissionSets.get_permissions(set)
+
+        mft_create =
+          Enum.find(permissions.resources, fn p ->
+            p.resource == "MembershipFeeType" && p.action == :create
+          end)
+
+        mft_update =
+          Enum.find(permissions.resources, fn p ->
+            p.resource == "MembershipFeeType" && p.action == :update
+          end)
+
+        mft_destroy =
+          Enum.find(permissions.resources, fn p ->
+            p.resource == "MembershipFeeType" && p.action == :destroy
+          end)
+
+        assert mft_create == nil || mft_create.granted == false,
+               "Permission set #{set} should not allow MembershipFeeType create"
+
+        assert mft_update == nil || mft_update.granted == false,
+               "Permission set #{set} should not allow MembershipFeeType update"
+
+        assert mft_destroy == nil || mft_destroy.granted == false,
+               "Permission set #{set} should not allow MembershipFeeType destroy"
+      end
+
+      admin_permissions = PermissionSets.get_permissions(:admin)
+
+      mft_create =
+        Enum.find(admin_permissions.resources, fn p ->
+          p.resource == "MembershipFeeType" && p.action == :create
+        end)
+
+      mft_update =
+        Enum.find(admin_permissions.resources, fn p ->
+          p.resource == "MembershipFeeType" && p.action == :update
+        end)
+
+      mft_destroy =
+        Enum.find(admin_permissions.resources, fn p ->
+          p.resource == "MembershipFeeType" && p.action == :destroy
+        end)
+
+      assert mft_create != nil
+      assert mft_create.scope == :all
+      assert mft_create.granted == true
+      assert mft_update != nil
+      assert mft_update.granted == true
+      assert mft_destroy != nil
+      assert mft_destroy.granted == true
+    end
+  end
+
+  describe "get_permissions/1 - MembershipFeeCycle resource" do
+    test "all permission sets have MembershipFeeCycle read with scope :all" do
+      for set <- PermissionSets.all_permission_sets() do
+        permissions = PermissionSets.get_permissions(set)
+
+        mfc_read =
+          Enum.find(permissions.resources, fn p ->
+            p.resource == "MembershipFeeCycle" && p.action == :read
+          end)
+
+        assert mfc_read != nil, "Permission set #{set} should have MembershipFeeCycle read"
+        assert mfc_read.scope == :all
+        assert mfc_read.granted == true
+      end
+    end
+
+    test "read_only has MembershipFeeCycle read only, no update" do
+      permissions = PermissionSets.get_permissions(:read_only)
+
+      mfc_update =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :update
+        end)
+
+      assert mfc_update == nil || mfc_update.granted == false
+    end
+
+    test "normal_user has MembershipFeeCycle read/create/update/destroy with scope :all" do
+      permissions = PermissionSets.get_permissions(:normal_user)
+
+      mfc_read =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :read
+        end)
+
+      mfc_create =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :create
+        end)
+
+      mfc_update =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :update
+        end)
+
+      mfc_destroy =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :destroy
+        end)
+
+      assert mfc_read != nil && mfc_read.granted == true
+      assert mfc_create != nil && mfc_create.scope == :all && mfc_create.granted == true
+      assert mfc_update != nil && mfc_update.granted == true
+      assert mfc_destroy != nil && mfc_destroy.scope == :all && mfc_destroy.granted == true
+    end
+
+    test "admin has MembershipFeeCycle read/create/update/destroy with scope :all" do
+      permissions = PermissionSets.get_permissions(:admin)
+
+      mfc_read =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :read
+        end)
+
+      mfc_create =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :create
+        end)
+
+      mfc_update =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :update
+        end)
+
+      mfc_destroy =
+        Enum.find(permissions.resources, fn p ->
+          p.resource == "MembershipFeeCycle" && p.action == :destroy
+        end)
+
+      assert mfc_read != nil
+      assert mfc_read.granted == true
+      assert mfc_create != nil
+      assert mfc_create.granted == true
+      assert mfc_update != nil
+      assert mfc_update.granted == true
+      assert mfc_destroy != nil
+      assert mfc_destroy.granted == true
+    end
  end

  describe "valid_permission_set?/1" do