User form: persist role, member linking, Forbidden handling

- User resource: update_user accepts role_id, manage_relationship :member
- user_live/form: touch role_id, params_with_member_if_unchanged to avoid unlink
- Handle Forbidden in form, extract error message for display
- user_policies_test and form_test coverage

test/mv_web/user_live/form_test.exs

@@ -213,6 +213,35 @@ defmodule MvWeb.UserLive.FormTest do
       assert not is_nil(updated_user.hashed_password)
       assert updated_user.hashed_password != ""
     end
+
+    test "admin can change user role and change persists", %{conn: conn} do
+      system_actor = Mv.Helpers.SystemActor.get_system_actor()
+
+      role_a = Mv.Fixtures.role_fixture("normal_user")
+      role_b = Mv.Fixtures.role_fixture("read_only")
+
+      user = create_test_user(%{email: "rolechange@example.com"})
+      {:ok, user} = Mv.Accounts.update_user(user, %{role_id: role_a.id}, actor: system_actor)
+      assert user.role_id == role_a.id
+
+      {:ok, view, _html} = setup_live_view(conn, "/users/#{user.id}/edit")
+
+      view
+      |> form("#user-form",
+        user: %{
+          email: "rolechange@example.com",
+          role_id: role_b.id
+        }
+      )
+      |> render_submit()
+
+      assert_redirected(view, "/users")
+
+      updated_user = Ash.reload!(user, domain: Mv.Accounts, actor: system_actor)
+
+      assert updated_user.role_id == role_b.id,
+             "Expected role_id to persist as #{role_b.id}, got #{inspect(updated_user.role_id)}"
+    end
   end
 
   describe "edit user form - validation" do