local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Prevent deletion of system actor user

Browse source 
Add destroy validation and explicit destroy action (primary, require_atomic? false).
Validation blocks destroy when email == SystemActor.system_user_email().
This commit is contained in:
Moritz 2026-01-27 14:29:07 +01:00 committed by moritz
parent acb33b9f3b
commit b7f37c80bd
1 changed files with 20 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
lib/accounts/user.ex
View file

@ -86,7 +86,13 @@ defmodule Mv.Accounts.User do
# - :create_user (for manual user creation with optional member link) # - :create_user (for manual user creation with optional member link)
# - :register_with_password (for password-based registration) # - :register_with_password (for password-based registration)
# - :register_with_rauthy (for OIDC-based registration) # - :register_with_rauthy (for OIDC-based registration)
defaults [:read, :destroy] defaults [:read]
destroy :destroy do
primary? true
# Required because custom validation (system actor protection) cannot run atomically
require_atomic? false
end
# Primary generic update action: # Primary generic update action:
# - Selected by AshAdmin's generated "Edit" UI and generic AshPhoenix # - Selected by AshAdmin's generated "Edit" UI and generic AshPhoenix
@ -359,6 +365,19 @@ defmodule Mv.Accounts.User do
:ok :ok
end end
end end
# Prevent deletion of the system actor user (required for internal operations)
validate fn changeset, _context ->
if to_string(changeset.data.email) == Mv.Helpers.SystemActor.system_user_email() do
{:error,
field: :email,
message:
"Cannot delete system actor user. This user is required for internal operations."}
else
:ok
end
end,
on: [:destroy]
end end
def validate_oidc_id_present(changeset, _context) do def validate_oidc_id_present(changeset, _context) do