From f0134f00eeb7b1f2424be554600779b92a8e4bb8 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Fri, 30 Jan 2026 11:13:41 +0100
Subject: [PATCH] Docs: note User-Member Linking enforcement in code

- update_user restricted via ActorIsAdmin; Form gates Member-Linking UI
---
 docs/roles-and-permissions-architecture.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/roles-and-permissions-architecture.md b/docs/roles-and-permissions-architecture.md
index 5b930a7..dbf2353 100644
--- a/docs/roles-and-permissions-architecture.md
+++ b/docs/roles-and-permissions-architecture.md
@@ -2002,6 +2002,8 @@ Users and Members are separate entities that can be linked. Special rules:
 - A user cannot link themselves to an existing member
 - A user CAN create a new member and be directly linked to it (self-service)
 
+**Enforcement:** The User resource restricts the `update_user` action (which accepts the `member` argument for link/unlink) to admins only via `Mv.Authorization.Checks.ActorIsAdmin`. The UserLive.Form shows the Member-Linking UI and runs member link/unlink on save only when the current user is admin; non-admins use the `:update` action (email only) for profile edit.
+
 ### Approach: Separate Ash Actions
 
 We use **different Ash actions** to enforce different policies: