Update seeds to create all 5 authorization roles

priv/repo/seeds.exs

@@ -129,28 +129,76 @@ end
 # Get admin email from environment variable or use default
 admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
 
-# Create admin role (used for assigning to admin users)
+# Create all authorization roles (idempotent - creates only if they don't exist)
-admin_role =
+# Roles are created using create_role_with_system_flag to allow setting is_system_role
-  case Authorization.list_roles() do
+role_configs = [
-    {:ok, roles} ->
+  %{
-      case Enum.find(roles, &(&1.name == "Admin" && &1.permission_set_name == "admin")) do
+    name: "Mitglied",
-        nil ->
+    description: "Default member role with access to own data only",
-          # Create admin role if it doesn't exist
+    permission_set_name: "own_data",
-          case Authorization.create_role(%{
+    is_system_role: true
-                 name: "Admin",
+  },
-                 description: "Administrator with full access",
+  %{
-                 permission_set_name: "admin"
+    name: "Vorstand",
-               }) do
+    description: "Board member with read access to all member data",
-            {:ok, role} -> role
+    permission_set_name: "read_only",
-            {:error, _error} -> nil
+    is_system_role: false
-          end
+  },
+  %{
+    name: "Kassenwart",
+    description: "Treasurer with full member and payment management",
+    permission_set_name: "normal_user",
+    is_system_role: false
+  },
+  %{
+    name: "Buchhaltung",
+    description: "Accounting with read-only access for auditing",
+    permission_set_name: "read_only",
+    is_system_role: false
+  },
+  %{
+    name: "Admin",
+    description: "Administrator with unrestricted access",
+    permission_set_name: "admin",
+    is_system_role: false
+  }
+]
 
-        role ->
+# Create or update each role
-          role
+Enum.each(role_configs, fn role_data ->
+  case Mv.Authorization.Role
+       |> Ash.Query.filter(name == ^role_data.name)
+       |> Ash.read_one(authorize?: false, domain: Mv.Authorization) do
+    {:ok, existing_role} when not is_nil(existing_role) ->
+      # Role exists - update if needed (preserve is_system_role)
+      if existing_role.permission_set_name != role_data.permission_set_name or
+           existing_role.description != role_data.description do
+        existing_role
+        |> Ash.Changeset.for_update(:update_role, %{
+          description: role_data.description,
+          permission_set_name: role_data.permission_set_name
+        })
+        |> Ash.update!(authorize?: false, domain: Mv.Authorization)
       end
 
-    {:error, _error} ->
+    {:ok, nil} ->
-      nil
+      # Role doesn't exist - create it
+      Mv.Authorization.Role
+      |> Ash.Changeset.for_create(:create_role_with_system_flag, role_data)
+      |> Ash.create!(authorize?: false, domain: Mv.Authorization)
+
+    {:error, error} ->
+      IO.puts("Warning: Failed to check for role #{role_data.name}: #{inspect(error)}")
+  end
+end)
+
+# Get admin role for assignment to admin user
+admin_role =
+  case Mv.Authorization.Role
+       |> Ash.Query.filter(name == "Admin")
+       |> Ash.read_one(authorize?: false, domain: Mv.Authorization) do
+    {:ok, role} when not is_nil(role) -> role
+    _ -> nil
   end
 
 if is_nil(admin_role) do