From d318dad612e9f31a6c14d881d9025b126943dc9a Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Fri, 30 Jan 2026 10:22:27 +0100
Subject: [PATCH] Add /users/:id (own) and /members/:id/show/edit for redirect
 and normal_user

- read_only and normal_user: allow /users/:id, /users/:id/edit, /users/:id/show/edit (own only)
- normal_user: allow /members/:id/show/edit
- Fixes redirect loop when sidebar links to profile
---
 lib/mv/authorization/permission_sets.ex | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/mv/authorization/permission_sets.ex b/lib/mv/authorization/permission_sets.ex
index 200a0dd..33964be 100644
--- a/lib/mv/authorization/permission_sets.ex
+++ b/lib/mv/authorization/permission_sets.ex
@@ -155,8 +155,11 @@ defmodule Mv.Authorization.PermissionSets do
       ],
       pages: [
         "/",
-        # Own profile
+        # Own profile (sidebar links to /users/:id; redirect target must be allowed)
         "/profile",
+        "/users/:id",
+        "/users/:id/edit",
+        "/users/:id/show/edit",
         # Member list
         "/members",
         # Member detail
@@ -202,14 +205,18 @@ defmodule Mv.Authorization.PermissionSets do
       ],
       pages: [
         "/",
-        # Own profile
+        # Own profile (sidebar links to /users/:id; redirect target must be allowed)
         "/profile",
+        "/users/:id",
+        "/users/:id/edit",
+        "/users/:id/show/edit",
         "/members",
         # Create member
         "/members/new",
         "/members/:id",
         # Edit member
         "/members/:id/edit",
+        "/members/:id/show/edit",
         "/custom_field_values",
         # Custom field value detail
         "/custom_field_values/:id",