refactor: apply review notes

lib/membership/join_request.ex

@@ -12,16 +12,25 @@ defmodule Mv.Membership.JoinRequest do
     data_layer: AshPostgres.DataLayer,
     authorizers: [Ash.Policy.Authorizer]
 
+  alias Ash.Policy.Check.Builtins, as: AshBuiltins
+
   postgres do
     table "join_requests"
     repo Mv.Repo
   end
 
   actions do
-    defaults [:read, :destroy]
+    defaults [:destroy]
+
+    # Admin: list and get by id (used with HasPermission)
+    read :admin_read do
+      description "List and get JoinRequests; requires permission (e.g. admin / normal_user)"
+      primary? true
+    end
 
     create :create do
       primary? true
+
       accept [
         :email,
         :confirmation_token_hash,
@@ -38,15 +47,9 @@ defmodule Mv.Membership.JoinRequest do
 
     create :confirm do
       description "Public action: create JoinRequest after confirmation link click (actor: nil)"
-      accept [
-        :email,
-        :confirmation_token_hash,
-        :status,
-        :submitted_at,
-        :source,
-        :schema_version,
-        :payload
-      ]
+      accept [:email, :confirmation_token_hash, :payload]
+
+      change Mv.Membership.JoinRequest.Changes.SetConfirmServerMetadata
     end
 
     update :update do
@@ -58,12 +61,11 @@ defmodule Mv.Membership.JoinRequest do
   policies do
     policy action(:confirm) do
       description "Allow public confirmation (actor nil) for join flow"
-      authorize_if Ash.Policy.Check.Builtins.actor_absent()
+      authorize_if AshBuiltins.actor_absent()
     end
 
-    policy action_type(:read) do
-      description "Allow read when actor nil (success page) or when user has permission"
-      authorize_if Ash.Policy.Check.Builtins.actor_absent()
+    policy action(:admin_read) do
+      description "List/get JoinRequests only with permission (admin, later normal_user)"
       authorize_if Mv.Authorization.Checks.HasPermission
     end