Remove NoActor module, improve Member validation, update docs

2026-01-24 10:43:20 +01:00 · 2026-01-24 10:43:20 +01:00 · b545d2b9e1
commit b545d2b9e1
parent 71c13d0ac0
4 changed files with 40 additions and 127 deletions
--- a/lib/membership/member.ex
+++ b/lib/membership/member.ex
@ -393,11 +393,28 @@ defmodule Mv.Membership.Member do
        user_id = user_arg[:id]
        current_member_id = changeset.data.id

-        # This is an integrity check, not a user authorization check
-        # Use authorize?: false to bypass policies for this internal validation query
-        # This ensures the validation always works regardless of actor availability
-        # (consistent with MembershipFeeType destroy validations)
-        case Ash.get(Mv.Accounts.User, user_id, authorize?: false) do
+        # Get actor from changeset context (may be nil)
+        actor = Map.get(changeset.context || %{}, :actor)
+
+        # Check if authorization is disabled in the parent operation's context
+        # Access private context where authorize? flag is stored
+        authorize? =
+          case get_in(changeset.context, [:private, :authorize?]) do
+            false -> false
+            _ -> true
+          end
+
+        # Use actor for authorization when available and authorize? is true
+        # Fall back to authorize?: false only for bootstrap/system operations
+        # This ensures normal operations respect authorization while system operations work
+        query_opts =
+          if actor && authorize? do
+            [actor: actor]
+          else
+            [authorize?: false]
+          end
+
+        case Ash.get(Mv.Accounts.User, user_id, query_opts) do
          # User is free to be linked
          {:ok, %{member_id: nil}} ->
            :ok