From d320cdf14e366f9ed055bef09a93c32a12a83c63 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Sat, 24 Jan 2026 19:13:07 +0100
Subject: [PATCH] Fix HasPermission check to handle nil member_id gracefully

---
 lib/mv/authorization/checks/has_permission.ex | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/mv/authorization/checks/has_permission.ex b/lib/mv/authorization/checks/has_permission.ex
index 97b74c0..1a478b8 100644
--- a/lib/mv/authorization/checks/has_permission.ex
+++ b/lib/mv/authorization/checks/has_permission.ex
@@ -348,12 +348,22 @@ defmodule Mv.Authorization.Checks.HasPermission do
       "Member" ->
         # User.member_id → Member.id (inverse relationship)
         # Filter: member.id == actor.member_id
-        {:filter, expr(id == ^actor.member_id)}
+        # If actor has no member_id, return no results (use false or impossible condition)
+        if is_nil(actor.member_id) do
+          {:filter, expr(false)}
+        else
+          {:filter, expr(id == ^actor.member_id)}
+        end
 
       "CustomFieldValue" ->
         # CustomFieldValue.member_id → Member.id → User.member_id
         # Filter: custom_field_value.member_id == actor.member_id
-        {:filter, expr(member_id == ^actor.member_id)}
+        # If actor has no member_id, return no results
+        if is_nil(actor.member_id) do
+          {:filter, expr(false)}
+        else
+          {:filter, expr(member_id == ^actor.member_id)}
+        end
 
       _ ->
         # Fallback for other resources