Remove unused PolicyHelpers macro and PolicyConsistency test
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Dead code - macro was never used in codebase. PolicyConsistency test will be replaced with better implementation.
This commit is contained in:
parent
f2def20fce
commit
e60bb6926f
2 changed files with 0 additions and 144 deletions
|
|
@ -1,40 +0,0 @@
|
|||
defmodule Mv.Authorization.PolicyHelpers do
|
||||
@moduledoc """
|
||||
Policy helpers for consistent bypass vs HasPermission patterns.
|
||||
|
||||
## Pattern: READ Bypass + UPDATE HasPermission
|
||||
|
||||
For resources with scope :own/:linked permissions:
|
||||
- READ: Use bypass with expr() for auto_filter
|
||||
- UPDATE/CREATE/DESTROY: Use HasPermission for scope evaluation
|
||||
|
||||
## Usage
|
||||
|
||||
use Mv.Authorization.PolicyHelpers
|
||||
|
||||
policies do
|
||||
# Standard pattern for User resource
|
||||
standard_user_policies()
|
||||
end
|
||||
|
||||
## Why This Pattern?
|
||||
|
||||
See `docs/policy-bypass-vs-haspermission.md` for detailed explanation.
|
||||
"""
|
||||
|
||||
defmacro standard_user_policies do
|
||||
quote do
|
||||
# READ: Bypass for auto_filter
|
||||
bypass action_type(:read) do
|
||||
description "Users can read their own records"
|
||||
authorize_if expr(id == ^actor(:id))
|
||||
end
|
||||
|
||||
# UPDATE/CREATE/DESTROY: HasPermission
|
||||
policy action_type([:update, :create, :destroy]) do
|
||||
description "Check permissions from role"
|
||||
authorize_if Mv.Authorization.Checks.HasPermission
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,104 +0,0 @@
|
|||
defmodule Mv.Authorization.PolicyConsistencyTest do
|
||||
@moduledoc """
|
||||
Tests to ensure policy consistency across resources.
|
||||
|
||||
Verifies that resources with scope :own/:linked permissions for READ
|
||||
have corresponding READ bypass policies (as required by the two-tier pattern).
|
||||
"""
|
||||
use ExUnit.Case, async: true
|
||||
|
||||
alias Mv.Authorization.PermissionSets
|
||||
|
||||
describe "Policy Pattern Consistency" do
|
||||
test "resources with scope :own/:linked for READ have READ bypass" do
|
||||
# Get all permission sets
|
||||
permission_sets = PermissionSets.all_permission_sets()
|
||||
|
||||
# Collect all resources with scope :own/:linked for READ
|
||||
resources_with_filter_scope =
|
||||
for permission_set <- permission_sets,
|
||||
permissions = PermissionSets.get_permissions(permission_set),
|
||||
perm <- permissions.resources,
|
||||
perm.action == :read,
|
||||
perm.scope in [:own, :linked],
|
||||
perm.granted == true,
|
||||
do: perm.resource
|
||||
|
||||
# Remove duplicates
|
||||
unique_resources = Enum.uniq(resources_with_filter_scope)
|
||||
|
||||
# Expected resources that should have READ bypass
|
||||
expected_resources = ["User", "Member", "CustomFieldValue"]
|
||||
|
||||
# Verify all expected resources are in the list
|
||||
for resource <- expected_resources do
|
||||
assert resource in unique_resources,
|
||||
"Resource #{resource} has scope :own/:linked for READ but may not have READ bypass policy. " <>
|
||||
"See docs/policy-bypass-vs-haspermission.md for the two-tier pattern."
|
||||
end
|
||||
end
|
||||
|
||||
test "resources with scope :own/:linked for UPDATE use HasPermission" do
|
||||
# Get all permission sets
|
||||
permission_sets = PermissionSets.all_permission_sets()
|
||||
|
||||
# Collect all resources with scope :own/:linked for UPDATE
|
||||
resources_with_filter_scope =
|
||||
for permission_set <- permission_sets,
|
||||
permissions = PermissionSets.get_permissions(permission_set),
|
||||
perm <- permissions.resources,
|
||||
perm.action == :update,
|
||||
perm.scope in [:own, :linked],
|
||||
perm.granted == true,
|
||||
do: perm.resource
|
||||
|
||||
# Remove duplicates
|
||||
unique_resources = Enum.uniq(resources_with_filter_scope)
|
||||
|
||||
# Expected resources that should use HasPermission for UPDATE
|
||||
expected_resources = ["User", "Member", "CustomFieldValue"]
|
||||
|
||||
# Verify all expected resources are in the list
|
||||
for resource <- expected_resources do
|
||||
assert resource in unique_resources,
|
||||
"Resource #{resource} should use HasPermission for UPDATE with scope :own/:linked. " <>
|
||||
"See docs/policy-bypass-vs-haspermission.md for the two-tier pattern."
|
||||
end
|
||||
end
|
||||
|
||||
test "all permission sets grant User.update (own or all)" do
|
||||
# Verify that all permission sets grant User.update
|
||||
# - :own_data, :read_only, :normal_user grant User.update :own
|
||||
# - :admin grants User.update :all (can update all users)
|
||||
permission_sets = PermissionSets.all_permission_sets()
|
||||
|
||||
for permission_set <- permission_sets do
|
||||
permissions = PermissionSets.get_permissions(permission_set)
|
||||
|
||||
user_update_perm =
|
||||
Enum.find(permissions.resources, fn perm ->
|
||||
perm.resource == "User" and perm.action == :update
|
||||
end)
|
||||
|
||||
assert user_update_perm != nil,
|
||||
"Permission set #{permission_set} must grant User.update. " <>
|
||||
"All permission sets must allow users to update credentials."
|
||||
|
||||
assert user_update_perm.scope in [:own, :all],
|
||||
"Permission set #{permission_set} must grant User.update with scope :own or :all. " <>
|
||||
"Current scope: #{user_update_perm.scope}"
|
||||
|
||||
assert user_update_perm.granted == true,
|
||||
"Permission set #{permission_set} must grant User.update. " <>
|
||||
"Current granted: #{user_update_perm.granted}"
|
||||
|
||||
# Non-admin sets should use :own
|
||||
if permission_set != :admin do
|
||||
assert user_update_perm.scope == :own,
|
||||
"Permission set #{permission_set} must grant User.update with scope :own. " <>
|
||||
"Current scope: #{user_update_perm.scope}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
Loading…
Add table
Add a link
Reference in a new issue