Add tests for system actor protection and hiding

Index: system actor not in list, destroy returns Ash.Error.Invalid. Show/Form: redirect to /users when viewing or editing system actor user.
2026-01-27 14:29:26 +01:00 · 2026-01-27 14:29:26 +01:00 · 9c31f0c16c
commit 9c31f0c16c
parent 8ad5201e1a
4 changed files with 57 additions and 8 deletions
--- a/test/mv/helpers/system_actor_test.exs
+++ b/test/mv/helpers/system_actor_test.exs
@ -10,6 +10,14 @@ defmodule Mv.Helpers.SystemActorTest do

  require Ash.Query

+  # Deletes a user row directly via SQL, bypassing Ash validations.
+  # Use only in tests when setting up "no system user" / "no users" scenarios;
+  # Ash.destroy! forbids deleting the system actor user.
+  defp delete_user_bypass_ash(user) do
+    id = Ecto.UUID.dump!(user.id)
+    Ecto.Adapters.SQL.query!(Mv.Repo, "DELETE FROM users WHERE id = $1", [id])
+  end
+
  # Helper function to ensure admin role exists
  defp ensure_admin_role do
    case Authorization.list_roles() do
@ -124,7 +132,7 @@ defmodule Mv.Helpers.SystemActorTest do
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts, actor: system_actor) do
        {:ok, user} when not is_nil(user) ->
-          Ash.destroy!(user, domain: Mv.Accounts, actor: system_actor)
+          delete_user_bypass_ash(user)

        _ ->
          :ok
@ -163,7 +171,7 @@ defmodule Mv.Helpers.SystemActorTest do
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts, actor: system_actor) do
        {:ok, user} when not is_nil(user) ->
-          Ash.destroy!(user, domain: Mv.Accounts, actor: system_actor)
+          delete_user_bypass_ash(user)

        _ ->
          :ok
@ -177,7 +185,7 @@ defmodule Mv.Helpers.SystemActorTest do
           |> Ash.Query.filter(email == ^admin_email)
           |> Ash.read_one(domain: Mv.Accounts, actor: system_actor) do
        {:ok, user} when not is_nil(user) ->
-          Ash.destroy!(user, domain: Mv.Accounts, actor: system_actor)
+          delete_user_bypass_ash(user)

        _ ->
          :ok
@ -227,7 +235,7 @@ defmodule Mv.Helpers.SystemActorTest do
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts, actor: system_actor) do
        {:ok, user} when not is_nil(user) ->
-          Ash.destroy!(user, domain: Mv.Accounts, actor: system_actor)
+          delete_user_bypass_ash(user)

        _ ->
          :ok
@ -241,7 +249,7 @@ defmodule Mv.Helpers.SystemActorTest do
           |> Ash.Query.filter(email == ^admin_email)
           |> Ash.read_one(domain: Mv.Accounts, actor: system_actor) do
        {:ok, user} when not is_nil(user) ->
-          Ash.destroy!(user, domain: Mv.Accounts, actor: system_actor)
+          delete_user_bypass_ash(user)

        _ ->
          :ok
@ -275,7 +283,7 @@ defmodule Mv.Helpers.SystemActorTest do
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts, actor: system_actor) do
        {:ok, user} when not is_nil(user) ->
-          Ash.destroy!(user, domain: Mv.Accounts, actor: system_actor)
+          delete_user_bypass_ash(user)

        _ ->
          :ok
@ -314,7 +322,7 @@ defmodule Mv.Helpers.SystemActorTest do
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts, actor: system_actor) do
        {:ok, user} when not is_nil(user) ->
-          Ash.destroy!(user, domain: Mv.Accounts, actor: system_actor)
+          delete_user_bypass_ash(user)

        _ ->
          :ok
@ -328,7 +336,7 @@ defmodule Mv.Helpers.SystemActorTest do
           |> Ash.Query.filter(email == ^admin_email)
           |> Ash.read_one(domain: Mv.Accounts, actor: system_actor) do
        {:ok, user} when not is_nil(user) ->
-          Ash.destroy!(user, domain: Mv.Accounts, actor: system_actor)
+          delete_user_bypass_ash(user)

        _ ->
          :ok