local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Secure regenerate_cycles: require can?(:create, MembershipFeeCycle) in handler

Browse source 
- Handler returns flash error when non-admin triggers event (e.g. DevTools).
- Test: read_only cannot create MembershipFeeCycle so handler rejects.
This commit is contained in:
Moritz 2026-02-04 09:19:37 +01:00
parent 03d3a7eb1b
commit dbd0a57292
2 changed files with 55 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

75
lib/mv_web/live/member_live/show/membership_fees_component.ex
View file

@ -568,45 +568,54 @@ defmodule MvWeb.MemberLive.Show.MembershipFeesComponent do
end end
def handle_event("regenerate_cycles", _params, socket) do def handle_event("regenerate_cycles", _params, socket) do
# Button is only shown when can_create_cycle (normal_user and admin). Cycle generation uses system actor. # Server-side authorization: do not rely on UI hiding the button (e.g. read_only could trigger via DevTools).
socket = assign(socket, :regenerating, true) actor = current_actor(socket)
member = socket.assigns.member
case CycleGenerator.generate_cycles_for_member(member.id) do if can?(actor, :create, MembershipFeeCycle) do
{:ok, _new_cycles, _notifications} -> socket = assign(socket, :regenerating, true)
actor = current_actor(socket) member = socket.assigns.member
updated_member = case CycleGenerator.generate_cycles_for_member(member.id) do
member {:ok, _new_cycles, _notifications} ->
|> Ash.load!( actor = current_actor(socket)
[
:membership_fee_type,
membership_fee_cycles: [:membership_fee_type]
],
actor: actor
)
cycles = updated_member =
Enum.sort_by( member
updated_member.membership_fee_cycles || [], |> Ash.load!(
& &1.cycle_start, [
{:desc, Date} :membership_fee_type,
) membership_fee_cycles: [:membership_fee_type]
],
actor: actor
)
send(self(), {:member_updated, updated_member}) cycles =
Enum.sort_by(
updated_member.membership_fee_cycles || [],
& &1.cycle_start,
{:desc, Date}
)
{:noreply, send(self(), {:member_updated, updated_member})
socket
|> assign(:member, updated_member)
|> assign(:cycles, cycles)
|> assign(:regenerating, false)
|> put_flash(:info, gettext("Cycles regenerated successfully"))}
{:error, error} -> {:noreply,
{:noreply, socket
socket |> assign(:member, updated_member)
|> assign(:regenerating, false) |> assign(:cycles, cycles)
|> put_flash(:error, format_error(error))} |> assign(:regenerating, false)
|> put_flash(:info, gettext("Cycles regenerated successfully"))}
{:error, error} ->
{:noreply,
socket
|> assign(:regenerating, false)
|> put_flash(:error, format_error(error))}
end
else
{:noreply,
socket
|> assign(:regenerating, false)
|> put_flash(:error, format_error(%Ash.Error.Forbidden{}))}
end end
end end

13
test/mv_web/member_live/show_membership_fees_test.exs
View file

@ -320,6 +320,19 @@ defmodule MvWeb.MemberLive.ShowMembershipFeesTest do
end end
end end
describe "read_only cannot trigger regenerate_cycles (handler enforces can?)" do
@tag role: :read_only
test "read_only cannot create MembershipFeeCycle so regenerate_cycles handler would show flash error",
%{current_user: read_only_user} do
# The regenerate_cycles handler checks can?(actor, :create, MembershipFeeCycle) before
# calling the generator. If a read_only user triggered the event (e.g. via DevTools),
# the handler returns flash error and no new cycles are created.
# This test verifies the condition the handler uses.
refute MvWeb.Authorization.can?(read_only_user, :create, MembershipFeeCycle),
"read_only must not be allowed to create MembershipFeeCycle so handler rejects regenerate_cycles"
end
end
describe "confirm_delete_all_cycles handler (policy enforced)" do describe "confirm_delete_all_cycles handler (policy enforced)" do
@tag role: :admin @tag role: :admin
test "admin can delete all cycles via UI and cycles are removed", %{conn: conn} do test "admin can delete all cycles via UI and cycles are removed", %{conn: conn} do