Add authorization policies to CustomFieldValue resource

- Authorizer and policies: bypass for read (member_id == actor.member_id), CustomFieldValueCreateScope for create, HasPermission for read/update/destroy. - HasPermission: pass authorizer into strict_check helper; document that create must use a dedicated check (no filter).
2026-01-27 13:40:22 +01:00 · 2026-01-27 13:40:22 +01:00 · bf2d0352c1
commit bf2d0352c1
parent c7c6b318ac
2 changed files with 39 additions and 4 deletions
--- a/lib/membership/custom_field_value.ex
+++ b/lib/membership/custom_field_value.ex
@ -39,7 +39,11 @@ defmodule Mv.Membership.CustomFieldValue do
  """
  use Ash.Resource,
    domain: Mv.Membership,
-    data_layer: AshPostgres.DataLayer
+    data_layer: AshPostgres.DataLayer,
+    authorizers: [Ash.Policy.Authorizer]
+
+  require Ash.Query
+  import Ash.Expr

  postgres do
    table "custom_field_values"
@ -62,6 +66,36 @@ defmodule Mv.Membership.CustomFieldValue do
    end
  end

+  # Authorization Policies
+  # Order matters: Most specific policies first, then general permission check
+  # Pattern aligns with User and Member resources (bypass for READ, HasPermission for update/destroy)
+  # Create uses CustomFieldValueCreateScope because Ash cannot apply filters to create actions.
+  policies do
+    # SPECIAL CASE: Users can READ custom field values of their linked member
+    # Bypass needed for list queries (expr triggers auto_filter in Ash)
+    bypass action_type(:read) do
+      description "Users can read custom field values of their linked member"
+      authorize_if expr(member_id == ^actor(:member_id))
+    end
+
+    # CREATE: CustomFieldValueCreateScope (no filter; Ash rejects filters on create)
+    # - :own_data -> create allowed when member_id == actor.member_id (scope :linked)
+    # - :read_only -> no create permission
+    # - :normal_user / :admin -> create allowed (scope :all)
+    policy action_type(:create) do
+      description "CustomFieldValue create allowed by permission set scope"
+      authorize_if Mv.Authorization.Checks.CustomFieldValueCreateScope
+    end
+
+    # READ/UPDATE/DESTROY: HasPermission (scope :linked / :all)
+    policy action_type([:read, :update, :destroy]) do
+      description "Check permissions from user's role and permission set"
+      authorize_if Mv.Authorization.Checks.HasPermission
+    end
+
+    # DEFAULT: Ash implicitly forbids if no policy authorized (fail-closed)
+  end
+
  attributes do
    uuid_primary_key :id