feat: implement role management LiveViews

Add complete CRUD interface for role management under /admin/roles. - Index page with table showing name, description, permission_set_name, is_system_role - Show page for role details - Form component for create/edit with permission_set_name dropdown - System role badge and disabled delete button - Flash messages for success/error - Authorization checks using MvWeb.Authorization helpers - Comprehensive test coverage (22 tests) Routes added under /admin scope. All LiveViews load user role for authorization checks. Form uses custom dropdown for permission sets.
2026-01-06 23:12:56 +01:00 · 2026-01-06 23:12:56 +01:00 · 9a86e0ec01
commit 9a86e0ec01
parent ff9c8d2d64
7 changed files with 1074 additions and 0 deletions
--- a/lib/mv_web/live/role_live/form.ex
+++ b/lib/mv_web/live/role_live/form.ex
@ -0,0 +1,202 @@
+defmodule MvWeb.RoleLive.Form do
+  @moduledoc """
+  LiveView form for creating and editing roles.
+
+  ## Features
+  - Create new roles
+  - Edit existing roles (name, description, permission_set_name)
+  - Custom dropdown for permission_set_name with badges
+  - Form validation
+
+  ## Security
+  Only admins can access this page (enforced by authorization).
+  """
+  use MvWeb, :live_view
+
+  alias Mv.Authorization.PermissionSets
+
+  @impl true
+  def render(assigns) do
+    ~H"""
+    <Layouts.app flash={@flash} current_user={@current_user}>
+      <.header>
+        {@page_title}
+        <:subtitle>{gettext("Use this form to manage roles in your database.")}</:subtitle>
+      </.header>
+
+      <.form class="max-w-xl" for={@form} id="role-form" phx-change="validate" phx-submit="save">
+        <.input field={@form[:name]} type="text" label={gettext("Name")} required />
+
+        <.input
+          field={@form[:description]}
+          type="textarea"
+          label={gettext("Description")}
+          rows="3"
+        />
+
+        <div class="form-control">
+          <label class="label" for="role-form_permission_set_name">
+            <span class="label-text font-semibold">
+              {gettext("Permission Set")}
+              <span class="text-red-700">*</span>
+            </span>
+          </label>
+          <select
+            class={[
+              "select select-bordered w-full",
+              @form.errors[:permission_set_name] && "select-error"
+            ]}
+            name="role[permission_set_name]"
+            id="role-form_permission_set_name"
+            required
+            aria-label={gettext("Permission Set")}
+          >
+            <option value="">{gettext("Select permission set")}</option>
+            <%= for permission_set <- all_permission_sets() do %>
+              <option
+                value={permission_set}
+                selected={@form[:permission_set_name].value == permission_set}
+              >
+                {format_permission_set_option(permission_set)}
+              </option>
+            <% end %>
+          </select>
+          <%= if @form.errors[:permission_set_name] do %>
+            <%= for error <- List.wrap(@form.errors[:permission_set_name]) do %>
+              <% {msg, _opts} = if is_tuple(error), do: error, else: {error, []} %>
+              <p class="mt-1.5 flex gap-2 items-center text-sm text-error">
+                <.icon name="hero-exclamation-circle" class="size-5" />
+                {msg}
+              </p>
+            <% end %>
+          <% end %>
+        </div>
+
+        <div class="mt-4">
+          <.button phx-disable-with={gettext("Saving...")} variant="primary" type="submit">
+            {gettext("Save Role")}
+          </.button>
+          <.button navigate={return_path(@return_to, @role)} type="button">
+            {gettext("Cancel")}
+          </.button>
+        </div>
+      </.form>
+    </Layouts.app>
+    """
+  end
+
+  @impl true
+  def mount(params, _session, socket) do
+    # Ensure current_user has role loaded for authorization checks
+    socket =
+      if socket.assigns[:current_user] do
+        user = socket.assigns.current_user
+
+        user_with_role =
+          case Map.get(user, :role) do
+            %Ash.NotLoaded{} -> Ash.load!(user, :role, domain: Mv.Accounts)
+            nil -> Ash.load!(user, :role, domain: Mv.Accounts)
+            role when not is_nil(role) -> user
+          end
+
+        assign(socket, :current_user, user_with_role)
+      else
+        socket
+      end
+
+    role =
+      case params["id"] do
+        nil -> nil
+        id -> Ash.get!(Mv.Authorization.Role, id, domain: Mv.Authorization)
+      end
+
+    action = if is_nil(role), do: gettext("New"), else: gettext("Edit")
+    page_title = action <> " " <> gettext("Role")
+
+    {:ok,
+     socket
+     |> assign(:return_to, return_to(params["return_to"]))
+     |> assign(:role, role)
+     |> assign(:page_title, page_title)
+     |> assign_form()}
+  end
+
+  @spec return_to(String.t() | nil) :: String.t()
+  defp return_to("show"), do: "show"
+  defp return_to(_), do: "index"
+
+  @impl true
+  def handle_event("validate", %{"role" => role_params}, socket) do
+    validated_form = AshPhoenix.Form.validate(socket.assigns.form, role_params)
+    {:noreply, assign(socket, form: validated_form)}
+  end
+
+  def handle_event("save", %{"role" => role_params}, socket) do
+    case AshPhoenix.Form.submit(socket.assigns.form, params: role_params) do
+      {:ok, role} ->
+        notify_parent({:saved, role})
+
+        redirect_path =
+          if socket.assigns.return_to == "show" do
+            ~p"/admin/roles/#{role.id}"
+          else
+            ~p"/admin/roles"
+          end
+
+        socket =
+          socket
+          |> put_flash(:info, gettext("Role saved successfully"))
+          |> push_navigate(to: redirect_path)
+
+        {:noreply, socket}
+
+      {:error, form} ->
+        {:noreply, assign(socket, form: form)}
+    end
+  end
+
+  @spec notify_parent(any()) :: any()
+  defp notify_parent(msg), do: send(self(), {__MODULE__, msg})
+
+  @spec assign_form(Phoenix.LiveView.Socket.t()) :: Phoenix.LiveView.Socket.t()
+  defp assign_form(%{assigns: %{role: role}} = socket) do
+    form =
+      if role do
+        AshPhoenix.Form.for_update(role, :update_role, domain: Mv.Authorization, as: "role")
+      else
+        AshPhoenix.Form.for_create(
+          Mv.Authorization.Role,
+          :create_role,
+          domain: Mv.Authorization,
+          as: "role"
+        )
+      end
+
+    assign(socket, form: to_form(form))
+  end
+
+  defp all_permission_sets do
+    PermissionSets.all_permission_sets() |> Enum.map(&Atom.to_string/1)
+  end
+
+  defp format_permission_set_option("own_data"),
+    do: gettext("own_data - Access only to own data")
+
+  defp format_permission_set_option("read_only"),
+    do: gettext("read_only - Read access to all data")
+
+  defp format_permission_set_option("normal_user"),
+    do: gettext("normal_user - Create/Read/Update access")
+
+  defp format_permission_set_option("admin"),
+    do: gettext("admin - Unrestricted access")
+
+  defp format_permission_set_option(set), do: set
+
+  @spec return_path(String.t(), Mv.Authorization.Role.t() | nil) :: String.t()
+  defp return_path("index", _role), do: ~p"/admin/roles"
+  defp return_path("show", role) when not is_nil(role), do: ~p"/admin/roles/#{role.id}"
+  defp return_path("show", _role), do: ~p"/admin/roles"
+  defp return_path(_, role) when not is_nil(role), do: ~p"/admin/roles/#{role.id}"
+  defp return_path(_, _role), do: ~p"/admin/roles"
+end
--- a/lib/mv_web/live/role_live/index.ex
+++ b/lib/mv_web/live/role_live/index.ex
@ -0,0 +1,93 @@
+defmodule MvWeb.RoleLive.Index do
+  @moduledoc """
+  LiveView for displaying and managing the role list.
+
+  ## Features
+  - List all roles with name, description, permission_set_name, is_system_role
+  - Create new roles
+  - Navigate to role details and edit forms
+  - Delete non-system roles
+
+  ## Events
+  - `delete` - Remove a role from the database (only non-system roles)
+
+  ## Security
+  Only admins can access this page (enforced by authorization).
+  """
+  use MvWeb, :live_view
+
+  alias Mv.Authorization
+
+  @impl true
+  def mount(_params, _session, socket) do
+    # Ensure current_user has role loaded for authorization checks
+    socket =
+      if socket.assigns[:current_user] do
+        user = socket.assigns.current_user
+
+        # Load role if not already loaded (check for Ash.NotLoaded struct)
+        user_with_role =
+          case Map.get(user, :role) do
+            %Ash.NotLoaded{} -> Ash.load!(user, :role, domain: Mv.Accounts)
+            nil -> Ash.load!(user, :role, domain: Mv.Accounts)
+            role when not is_nil(role) -> user
+          end
+
+        assign(socket, :current_user, user_with_role)
+      else
+        socket
+      end
+
+    roles = load_roles()
+
+    {:ok,
+     socket
+     |> assign(:page_title, gettext("Listing Roles"))
+     |> assign(:roles, roles)}
+  end
+
+  @impl true
+  def handle_event("delete", %{"id" => id}, socket) do
+    {:ok, role} = Authorization.get_role(id)
+
+    case Authorization.destroy_role(role) do
+      :ok ->
+        updated_roles = Enum.reject(socket.assigns.roles, &(&1.id == id))
+
+        {:noreply,
+         socket
+         |> assign(:roles, updated_roles)
+         |> put_flash(:info, gettext("Role deleted successfully"))}
+
+      {:error, error} ->
+        error_message = format_error(error)
+
+        {:noreply,
+         put_flash(
+           socket,
+           :error,
+           gettext("Failed to delete role: %{error}", error: error_message)
+         )}
+    end
+  end
+
+  defp load_roles do
+    case Authorization.list_roles() do
+      {:ok, roles} -> Enum.sort_by(roles, & &1.name)
+      {:error, _} -> []
+    end
+  end
+
+  defp format_error(%Ash.Error.Invalid{} = error) do
+    Enum.map_join(error.errors, ", ", fn e -> e.message end)
+  end
+
+  defp format_error(error) when is_binary(error), do: error
+  defp format_error(_error), do: gettext("An error occurred")
+
+  defp permission_set_badge_class("own_data"), do: "badge badge-neutral badge-sm"
+  defp permission_set_badge_class("read_only"), do: "badge badge-info badge-sm"
+  defp permission_set_badge_class("normal_user"), do: "badge badge-success badge-sm"
+  defp permission_set_badge_class("admin"), do: "badge badge-error badge-sm"
+  defp permission_set_badge_class(_), do: "badge badge-ghost badge-sm"
+end
--- a/lib/mv_web/live/role_live/index.html.heex
+++ b/lib/mv_web/live/role_live/index.html.heex
@ -0,0 +1,91 @@
+<Layouts.app flash={@flash} current_user={@current_user}>
+  <.header>
+    {gettext("Listing Roles")}
+    <:subtitle>
+      {gettext("Manage user roles and their permission sets.")}
+    </:subtitle>
+    <:actions>
+      <%= if can?(@current_user, :create, Mv.Authorization.Role) do %>
+        <.button variant="primary" navigate={~p"/admin/roles/new"}>
+          <.icon name="hero-plus" /> {gettext("New Role")}
+        </.button>
+      <% end %>
+    </:actions>
+  </.header>
+
+  <.table
+    id="roles"
+    rows={@roles}
+    row_click={fn role -> JS.navigate(~p"/admin/roles/#{role}") end}
+  >
+    <:col :let={role} label={gettext("Name")}>
+      <div class="flex items-center gap-2">
+        <span class="font-medium">{role.name}</span>
+        <%= if role.is_system_role do %>
+          <span class="badge badge-warning badge-sm">{gettext("System Role")}</span>
+        <% end %>
+      </div>
+    </:col>
+
+    <:col :let={role} label={gettext("Description")}>
+      <%= if role.description do %>
+        <span class="text-sm">{role.description}</span>
+      <% else %>
+        <span class="text-base-content/50">{gettext("No description")}</span>
+      <% end %>
+    </:col>
+
+    <:col :let={role} label={gettext("Permission Set")}>
+      <span class={permission_set_badge_class(role.permission_set_name)}>
+        {role.permission_set_name}
+      </span>
+    </:col>
+
+    <:col :let={role} label={gettext("Type")}>
+      <%= if role.is_system_role do %>
+        <span class="badge badge-warning badge-sm">{gettext("System")}</span>
+      <% else %>
+        <span class="badge badge-ghost badge-sm">{gettext("Custom")}</span>
+      <% end %>
+    </:col>
+
+    <:action :let={role}>
+      <div class="sr-only">
+        <.link navigate={~p"/admin/roles/#{role}"}>{gettext("Show")}</.link>
+      </div>
+
+      <%= if can?(@current_user, :update, Mv.Authorization.Role) do %>
+        <.link navigate={~p"/admin/roles/#{role}/edit"} class="btn btn-ghost btn-xs">
+          <.icon name="hero-pencil" class="size-4" />
+        </.link>
+      <% end %>
+    </:action>
+
+    <:action :let={role}>
+      <%= if can?(@current_user, :destroy, Mv.Authorization.Role) and not role.is_system_role do %>
+        <.link
+          phx-click={JS.push("delete", value: %{id: role.id}) |> hide("#row-#{role.id}")}
+          data-confirm={gettext("Are you sure?")}
+          class="btn btn-ghost btn-xs text-error"
+          aria-label={gettext("Delete role")}
+        >
+          <.icon name="hero-trash" class="size-4" />
+        </.link>
+      <% else %>
+        <div
+          :if={role.is_system_role}
+          class="tooltip tooltip-left"
+          data-tip={gettext("System roles cannot be deleted")}
+        >
+          <button
+            class="btn btn-ghost btn-xs text-error opacity-50 cursor-not-allowed"
+            disabled={true}
+            aria-label={gettext("Cannot delete system role")}
+          >
+            <.icon name="hero-trash" class="size-4" />
+          </button>
+        </div>
+      <% end %>
+    </:action>
+  </.table>
+</Layouts.app>
--- a/lib/mv_web/live/role_live/show.ex
+++ b/lib/mv_web/live/role_live/show.ex
@ -0,0 +1,94 @@
+defmodule MvWeb.RoleLive.Show do
+  @moduledoc """
+  LiveView for displaying a single role's details.
+
+  ## Features
+  - Display role information (name, description, permission_set_name, is_system_role)
+  - Navigate to edit form
+  - Return to role list
+
+  ## Security
+  Only admins can access this page (enforced by authorization).
+  """
+  use MvWeb, :live_view
+
+  @impl true
+  def mount(%{"id" => id}, _session, socket) do
+    # Ensure current_user has role loaded for authorization checks
+    socket =
+      if socket.assigns[:current_user] do
+        user = socket.assigns.current_user
+
+        user_with_role =
+          case Map.get(user, :role) do
+            %Ash.NotLoaded{} -> Ash.load!(user, :role, domain: Mv.Accounts)
+            nil -> Ash.load!(user, :role, domain: Mv.Accounts)
+            role when not is_nil(role) -> user
+          end
+
+        assign(socket, :current_user, user_with_role)
+      else
+        socket
+      end
+
+    role = Ash.get!(Mv.Authorization.Role, id, domain: Mv.Authorization)
+
+    {:ok,
+     socket
+     |> assign(:page_title, gettext("Show Role"))
+     |> assign(:role, role)}
+  end
+
+  @impl true
+  def render(assigns) do
+    ~H"""
+    <Layouts.app flash={@flash} current_user={@current_user}>
+      <.header>
+        {gettext("Role")} {@role.name}
+        <:subtitle>{gettext("Role details and permissions.")}</:subtitle>
+
+        <:actions>
+          <.button navigate={~p"/admin/roles"} aria-label={gettext("Back to roles list")}>
+            <.icon name="hero-arrow-left" />
+            <span class="sr-only">{gettext("Back to roles list")}</span>
+          </.button>
+          <%= if can?(@current_user, :update, Mv.Authorization.Role) do %>
+            <.button variant="primary" navigate={~p"/admin/roles/#{@role}/edit"}>
+              <.icon name="hero-pencil-square" /> {gettext("Edit Role")}
+            </.button>
+          <% end %>
+        </:actions>
+      </.header>
+
+      <.list>
+        <:item title={gettext("Name")}>{@role.name}</:item>
+        <:item title={gettext("Description")}>
+          <%= if @role.description do %>
+            {@role.description}
+          <% else %>
+            <span class="text-base-content/50 italic">{gettext("No description")}</span>
+          <% end %>
+        </:item>
+        <:item title={gettext("Permission Set")}>
+          <span class={permission_set_badge_class(@role.permission_set_name)}>
+            {@role.permission_set_name}
+          </span>
+        </:item>
+        <:item title={gettext("System Role")}>
+          <%= if @role.is_system_role do %>
+            <span class="badge badge-warning">{gettext("Yes")}</span>
+          <% else %>
+            <span class="badge badge-ghost">{gettext("No")}</span>
+          <% end %>
+        </:item>
+      </.list>
+    </Layouts.app>
+    """
+  end
+
+  defp permission_set_badge_class("own_data"), do: "badge badge-neutral badge-sm"
+  defp permission_set_badge_class("read_only"), do: "badge badge-info badge-sm"
+  defp permission_set_badge_class("normal_user"), do: "badge badge-success badge-sm"
+  defp permission_set_badge_class("admin"), do: "badge badge-error badge-sm"
+  defp permission_set_badge_class(_), do: "badge badge-ghost badge-sm"
+end
--- a/lib/mv_web/router.ex
+++ b/lib/mv_web/router.ex
@ -81,6 +81,12 @@ defmodule MvWeb.Router do
      live "/contribution_types", ContributionTypeLive.Index, :index
      live "/contributions/member/:id", ContributionPeriodLive.Show, :show

+      # Role Management (Admin only)
+      live "/admin/roles", RoleLive.Index, :index
+      live "/admin/roles/new", RoleLive.Form, :new
+      live "/admin/roles/:id", RoleLive.Show, :show
+      live "/admin/roles/:id/edit", RoleLive.Form, :edit
+
      post "/set_locale", LocaleController, :set_locale
    end