From cf6bd4a6a14e596d46999c3e9277faaaebac7af9 Mon Sep 17 00:00:00 2001 From: Moritz Date: Fri, 30 Jan 2026 11:13:34 +0100 Subject: [PATCH] UserPoliciesTest: use :update for non-admin own-email and forbid-other - own_data, read_only, normal_user: can update own email via :update - cannot update other users: use :update (scope :own forbids) --- test/mv/accounts/user_policies_test.exs | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/test/mv/accounts/user_policies_test.exs b/test/mv/accounts/user_policies_test.exs index 7676403..736b336 100644 --- a/test/mv/accounts/user_policies_test.exs +++ b/test/mv/accounts/user_policies_test.exs @@ -95,9 +95,10 @@ defmodule Mv.Accounts.UserPoliciesTest do test "can update own email", %{user: user} do new_email = "updated#{System.unique_integer([:positive])}@example.com" + # Non-admins use :update (email only); :update_user is admin-only (member link/unlink). {:ok, updated_user} = user - |> Ash.Changeset.for_update(:update_user, %{email: new_email}) + |> Ash.Changeset.for_update(:update, %{email: new_email}) |> Ash.update(actor: user) assert updated_user.email == Ash.CiString.new(new_email) @@ -118,7 +119,7 @@ defmodule Mv.Accounts.UserPoliciesTest do test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do assert_raise Ash.Error.Forbidden, fn -> other_user - |> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"}) + |> Ash.Changeset.for_update(:update, %{email: "hacked@example.com"}) |> Ash.update!(actor: user) end end @@ -163,9 +164,10 @@ defmodule Mv.Accounts.UserPoliciesTest do test "can update own email", %{user: user} do new_email = "updated#{System.unique_integer([:positive])}@example.com" + # Non-admins use :update (email only); :update_user is admin-only (member link/unlink). {:ok, updated_user} = user - |> Ash.Changeset.for_update(:update_user, %{email: new_email}) + |> Ash.Changeset.for_update(:update, %{email: new_email}) |> Ash.update(actor: user) assert updated_user.email == Ash.CiString.new(new_email) @@ -186,7 +188,7 @@ defmodule Mv.Accounts.UserPoliciesTest do test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do assert_raise Ash.Error.Forbidden, fn -> other_user - |> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"}) + |> Ash.Changeset.for_update(:update, %{email: "hacked@example.com"}) |> Ash.update!(actor: user) end end @@ -231,9 +233,10 @@ defmodule Mv.Accounts.UserPoliciesTest do test "can update own email", %{user: user} do new_email = "updated#{System.unique_integer([:positive])}@example.com" + # Non-admins use :update (email only); :update_user is admin-only (member link/unlink). {:ok, updated_user} = user - |> Ash.Changeset.for_update(:update_user, %{email: new_email}) + |> Ash.Changeset.for_update(:update, %{email: new_email}) |> Ash.update(actor: user) assert updated_user.email == Ash.CiString.new(new_email) @@ -254,7 +257,7 @@ defmodule Mv.Accounts.UserPoliciesTest do test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do assert_raise Ash.Error.Forbidden, fn -> other_user - |> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"}) + |> Ash.Changeset.for_update(:update, %{email: "hacked@example.com"}) |> Ash.update!(actor: user) end end