test: adapt tests for attribute-level default solution

test/mv/accounts/user_policies_test.exs

@@ -354,9 +354,14 @@ defmodule Mv.Accounts.UserPoliciesTest do
         })
         |> Ash.Changeset.set_context(%{private: %{ash_authentication?: true}})
 
-      {:ok, user} = Ash.create(changeset)
+      {:ok, user} = Ash.create(changeset, domain: Mv.Accounts)
 
       assert user.email
+
+      # Verify that default "Mitglied" role was assigned
+      {:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts, authorize?: false)
+      assert user_with_role.role != nil
+      assert user_with_role.role.name == "Mitglied"
     end
 
     test "register_with_rauthy works without actor via AshAuthentication bypass" do

test/mv/helpers/system_actor_test.exs

@@ -4,6 +4,8 @@ defmodule Mv.Helpers.SystemActorTest do
   """
   use Mv.DataCase, async: false
 
+  import Ecto.Query
+
   alias Mv.Helpers.SystemActor
   alias Mv.Authorization
   alias Mv.Accounts
@@ -266,13 +268,15 @@ defmodule Mv.Helpers.SystemActorTest do
 
   describe "edge cases" do
     test "raises error if admin user has no role", %{admin_user: admin_user} do
-      system_actor = SystemActor.get_system_actor()
+      # Remove role from admin user by directly setting role_id to NULL in database
+      # (We can't use Ash because allow_nil? false prevents setting role_id to nil)
+      # Convert UUID to binary format for Postgrex
+      admin_user_id = Ecto.UUID.cast!(admin_user.id)
 
-      # Remove role from admin user
-      admin_user
-      |> Ash.Changeset.for_update(:update, %{})
-      |> Ash.Changeset.manage_relationship(:role, nil, type: :append_and_remove)
-      |> Ash.update!(actor: system_actor)
+      Mv.Repo.update_all(
+        from(u in "users", where: u.id == type(^admin_user_id, :binary_id)),
+        set: [role_id: nil]
+      )
 
       # Delete system user to force fallback
       system_actor = SystemActor.get_system_actor()
@@ -369,13 +373,15 @@ defmodule Mv.Helpers.SystemActorTest do
     end
 
     test "raises error if system user has no role", %{system_user: system_user} do
-      system_actor = SystemActor.get_system_actor()
+      # Remove role from system user by directly setting role_id to NULL in database
+      # (We can't use Ash because allow_nil? false prevents setting role_id to nil)
+      # Convert UUID to binary format for Postgrex
+      system_user_id = Ecto.UUID.cast!(system_user.id)
 
-      # Remove role from system user
-      system_user
-      |> Ash.Changeset.for_update(:update, %{})
-      |> Ash.Changeset.manage_relationship(:role, nil, type: :append_and_remove)
-      |> Ash.update!(actor: system_actor)
+      Mv.Repo.update_all(
+        from(u in "users", where: u.id == type(^system_user_id, :binary_id)),
+        set: [role_id: nil]
+      )
 
       SystemActor.invalidate_cache()
 

test/seeds_test.exs

@@ -126,7 +126,7 @@ defmodule Mv.SeedsTest do
     test "creates all 5 authorization roles with correct permission sets" do
       # Run seeds once for this test
       Code.eval_file("priv/repo/seeds.exs")
-      {:ok, roles} = Ash.read(Mv.Authorization.Role)
+      {:ok, roles} = Ash.read(Mv.Authorization.Role, domain: Mv.Authorization, authorize?: false)
 
       assert length(roles) >= 5, "Should have at least 5 roles"
 
@@ -153,7 +153,7 @@ defmodule Mv.SeedsTest do
       {:ok, mitglied} =
         Mv.Authorization.Role
         |> Ash.Query.filter(name == "Mitglied")
-        |> Ash.read_one()
+        |> Ash.read_one(domain: Mv.Authorization, authorize?: false)
 
       assert mitglied.is_system_role == true
     end
@@ -161,7 +161,7 @@ defmodule Mv.SeedsTest do
     test "all roles have valid permission_set_names" do
       Code.eval_file("priv/repo/seeds.exs")
 
-      {:ok, roles} = Ash.read(Mv.Authorization.Role)
+      {:ok, roles} = Ash.read(Mv.Authorization.Role, domain: Mv.Authorization, authorize?: false)
 
       valid_sets =
         Mv.Authorization.PermissionSets.all_permission_sets()
@@ -238,10 +238,14 @@ defmodule Mv.SeedsTest do
 
     test "role creation is idempotent" do
       Code.eval_file("priv/repo/seeds.exs")
-      {:ok, roles_1} = Ash.read(Mv.Authorization.Role)
+
+      {:ok, roles_1} =
+        Ash.read(Mv.Authorization.Role, domain: Mv.Authorization, authorize?: false)
 
       Code.eval_file("priv/repo/seeds.exs")
-      {:ok, roles_2} = Ash.read(Mv.Authorization.Role)
+
+      {:ok, roles_2} =
+        Ash.read(Mv.Authorization.Role, domain: Mv.Authorization, authorize?: false)
 
       assert length(roles_1) == length(roles_2),
              "Role count should remain same after re-running seeds"

test/support/data_case.ex

@@ -31,7 +31,9 @@ defmodule Mv.DataCase do
 
   setup tags do
     Mv.DataCase.setup_sandbox(tags)
-    # Ensure "Mitglied" role exists for AssignDefaultRole to work in tests
+    # Ensure "Mitglied" role exists for default role assignment to work in tests
+    # Note: This runs in every test because each test runs in a sandboxed database.
+    # The check is fast (single query) and idempotent (skips if role exists).
     Mv.DataCase.ensure_default_role()
     :ok
   end
@@ -49,7 +51,7 @@ defmodule Mv.DataCase do
   @doc """
   Ensures the default "Mitglied" role exists in the test database.
 
-  This is necessary because AssignDefaultRole expects this role to exist.
+  This is necessary because the role_id attribute's default function expects this role to exist.
   Tests run in sandbox mode, so the role needs to be created for each test.
   """
   def ensure_default_role do