Security: Fix critical deny-filter bug and improve authorization

CRITICAL FIX: Deny-filter was allowing all records instead of denying Fix: User validation in Member now uses actor from changeset.context
2026-01-08 23:12:07 +01:00 · 2026-01-08 23:12:07 +01:00 · fecf98dc0e
commit fecf98dc0e
parent e5eb3b7e89
6 changed files with 1356 additions and 14 deletions
--- a/test/mv/authorization/checks/has_permission_integration_test.exs
+++ b/test/mv/authorization/checks/has_permission_integration_test.exs
@ -28,7 +28,7 @@ defmodule Mv.Authorization.Checks.HasPermissionIntegrationTest do
  end

  describe "Filter Expression Structure - :linked scope" do
-    test "Member filter uses user.id relationship path" do
+    test "Member filter uses actor.member_id (inverse relationship)" do
      actor = create_actor_with_role("own_data", member_id: "member-123")
      authorizer = create_authorizer(Mv.Membership.Member, :read)

@ -42,7 +42,7 @@ defmodule Mv.Authorization.Checks.HasPermissionIntegrationTest do
      assert is_list(filter) or is_map(filter)
    end

-    test "CustomFieldValue filter uses member.user.id relationship path" do
+    test "CustomFieldValue filter uses actor.member_id (via member relationship)" do
      actor = create_actor_with_role("own_data", member_id: "member-123")
      authorizer = create_authorizer(Mv.Membership.CustomFieldValue, :read)