local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Restrict Actor.ensure_loaded to Mv.Accounts.User only

Browse source 
Pattern match on %Mv.Accounts.User{} instead of generic actor.
Clearer intention, prevents accidental authorization bypasses.
Non-User actors are returned as-is (no-op).
This commit is contained in:
Moritz 2026-01-22 23:17:55 +01:00 committed by Simon
parent 726f164b28
commit ef4df57a6f
Signed by: simon
GPG key ID: 40E7A58C4AA1EDB2
2 changed files with 20 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

12
test/mv/authorization/actor_test.exs
View file

@ -72,13 +72,13 @@ defmodule Mv.Authorization.ActorTest do
assert result.role.id == role.id
end
test "handles load errors gracefully (returns original actor)" do
# Create a plain map (not a real Ash resource)
fake_actor = %{id: "fake", role: %Ash.NotLoaded{field: :role}}
test "returns non-User actors as-is (no-op)" do
# Create a plain map (not Mv.Accounts.User)
other_actor = %{id: "fake", role: %Ash.NotLoaded{field: :role}}
# Should not crash, returns original
result = Actor.ensure_loaded(fake_actor)
assert result == fake_actor
# Should return as-is (pattern match doesn't apply to non-User)
result = Actor.ensure_loaded(other_actor)
assert result == other_actor
end
end
end