Add authorization policies to CustomFieldValue resource

- Authorizer and policies: bypass for read (member_id == actor.member_id), CustomFieldValueCreateScope for create, HasPermission for read/update/destroy. - HasPermission: pass authorizer into strict_check helper; document that create must use a dedicated check (no filter).
2026-01-27 13:40:22 +01:00 · 2026-01-27 13:40:22 +01:00 · bf2d0352c1
commit bf2d0352c1
parent c7c6b318ac
2 changed files with 39 additions and 4 deletions
--- a/lib/mv/authorization/checks/has_permission.ex
+++ b/lib/mv/authorization/checks/has_permission.ex
@ -110,12 +110,12 @@ defmodule Mv.Authorization.Checks.HasPermission do
        {:ok, false}

      true ->
-        strict_check_with_permissions(actor, resource, action, record)
+        strict_check_with_permissions(actor, resource, action, record, authorizer)
    end
  end

  # Helper function to reduce nesting depth
-  defp strict_check_with_permissions(actor, resource, action, record) do
+  defp strict_check_with_permissions(actor, resource, action, record, _authorizer) do
    # Ensure role is loaded (fallback if on_mount didn't run)
    actor = ensure_role_loaded(actor)

@ -148,6 +148,7 @@ defmodule Mv.Authorization.Checks.HasPermission do
          else
            # No record yet (e.g., read/list queries) - deny at strict_check level
            # Resources must use expr-based bypass policies for list filtering
+            # Create: use a dedicated check that does not return a filter (e.g. CustomFieldValueCreateScope)
            {:ok, false}
          end

@ -213,7 +214,7 @@ defmodule Mv.Authorization.Checks.HasPermission do

        {:filter, filter_expr} ->
          # :linked or :own scope - apply filter
-          # filter_expr is a keyword list from expr(...), return it directly
+          # Create actions must not use HasPermission (use a dedicated check, e.g. CustomFieldValueCreateScope)
          filter_expr

        false ->