local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions
1187 commits 13 branches 0 tags 7.9 MiB
Commit graph

33 commits

Author SHA1 Message Date
Moritz
5194b20b5c
Fix unlink-by-omission: on_missing :ignore, test, doc, string-key
Some checks failed
continuous-integration/drone/push Build is failing
Details 
- Member update_member: on_missing :unrelate → :ignore (no unlink when :user omitted)
- Test: normal_user update linked member without :user keeps link
- Doc: unlink only explicit (user: nil), admin-only; Actor.admin?(nil) note
- Check: defense-in-depth for "user" string key
 2026-02-04 14:07:39 +01:00
Moritz
543fded102
Harden member user-link check: argument presence, nil actor, policy scope 
- Forbid on :user argument presence (not value) to block unlink via nil/empty
- Defensive nil actor handling; policy restricted to create/update only
- Test: Ash.load with actor; test non-admin cannot unlink via user: nil
- Docs: unlink behaviour and policy split
 2026-02-04 14:07:39 +01:00
Moritz
34e049ef32
Refactor member user-link tests: shared setup 
Use describe-level setup for normal_user, admin, unlinked_member.
 2026-02-04 14:07:39 +01:00
Moritz
26fbafdd9d
Restrict member user link to admins (forbid policy) 
Add ForbidMemberUserLinkUnlessAdmin check; forbid_if on Member create/update.
Fix member user-link tests: pass :user in params, assert via reload.
 2026-02-04 14:07:38 +01:00
Moritz
c035d0f141 Docs: groups and roles/permissions architecture, Group moduledoc
All checks were successful
continuous-integration/drone/push Build is passing
Details 
- groups-architecture: normal_user and admin can manage groups.
- roles-and-permissions: matrix and MembershipFeeCycle :linked for own_data.
- group_policies_test: update moduledoc.
 2026-02-04 09:20:26 +01:00
Moritz
890a4d3752 MemberGroup: restrict bypass to own_data via MemberGroupReadLinkedForOwnData 
- ActorPermissionSetIs check; bypass policy filters by member_id for own_data only.
- Admin with member_id still gets :all via HasPermission. Tests added.
 2026-02-04 09:19:57 +01:00
Moritz
a2e1054c8d Tests: use Mv.Fixtures, fix warnings, Credo TODO disable 
- Policy tests: use Fixtures where applicable; create_custom_field() fix in custom_field_value.
- Replace unused actor with _actor, remove unused alias Accounts in policy tests.
- profile_navigation_test: disable Credo for intentional TODO comment.
 2026-02-04 00:34:12 +01:00
Moritz
5889683854 Add resource policies for Group, MemberGroup, MembershipFeeType, MembershipFeeCycle 
- Group/MemberGroup/MembershipFeeType/MembershipFeeCycle: HasPermission policy
- normal_user: Group and MembershipFeeCycle create/update/destroy; pages /groups/new, /groups/:slug/edit
- Add policy tests for all four resources
 2026-02-03 23:52:12 +01:00
Moritz
131904f172
Test: assert on error field :email instead of message string
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/promote/production Build is passing
Details
2026-02-03 16:07:47 +01:00
Moritz
4ea31f0f37 Add email-change permission validation for linked members
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Only admins or the linked user may change a linked member's email.
- New validation EmailChangePermission (uses Actor.admin?, Loader.get_linked_user).
- Register on Member update_member; docs and gettext.
 2026-02-03 14:35:32 +01:00
carla
86a3c4e50e tests: add tests for import 2026-02-02 13:07:00 +01:00
Moritz
4473cfd372 Tests: use code interface for Member create/update (actor propagation)
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/promote/production Build is passing
Details
2026-01-29 16:10:12 +01:00
Moritz
36b5d5880b Add CustomField resource policies and tests 
- Add policies block with HasPermission for read/create/update/destroy
- Add authorizers: [Ash.Policy.Authorizer] to CustomField resource
- Add custom_field_policies_test.exs (read all roles, write admin only)
- Fix CustomField path in roles-and-permissions doc (lib/membership)
 2026-01-29 16:10:12 +01:00
Moritz
0219073d33 CFV policies test: system_actor for setup, verify destroy with actor 
- create_linked_member_for_user and create_unlinked_member use actor
  (system_actor) directly instead of creating admin user per call
- Remove create_admin_user helper
- After destroy, verify with Ash.get(..., actor: actor) to avoid
  false positive from Forbidden vs NotFound
 2026-01-27 16:07:01 +01:00
Moritz
4e032ea778 Add CustomFieldValue policy tests (own_data, read_only, normal_user, admin) 
Covers read/update/create/destroy for linked vs unlinked members and CRUD
permissions per permission set.
 2026-01-27 16:07:01 +01:00
Moritz
17831a0948 Pass actor to CustomFieldValue destroy and load in existing tests 
Required after CustomFieldValue gained authorization policies.
 2026-01-27 16:07:01 +01:00
Moritz
562265f212 Security: Require actor parameter in CSV import 
Remove fallback to system_actor in process_chunk to prevent
unauthorized access. Actor must now be explicitly provided.
 2026-01-25 18:33:25 +01:00
Moritz
b9d68a3417
Fix test helpers: Use actor parameter correctly 2026-01-24 02:21:09 +01:00
Moritz
0f48a9b15a
Add actor parameter to all tests requiring authorization 
This commit adds actor: system_actor to all Ash operations in tests that
require authorization.
 2026-01-24 02:21:02 +01:00
Moritz
0abcf540bb refactor: Replace length/1 with empty list comparison 
Replace expensive length/1 calls with direct list comparison
to fix Credo warnings about performance
 2026-01-20 15:58:15 +01:00
carla
3cbd90ecdd feat: adds error capping 2026-01-19 12:02:28 +01:00
carla
7da037d81d refactor: adds schemales changeset and validation constant 2026-01-19 11:43:51 +01:00
carla
8b3cc6a6b2 feat: adds row validation 2026-01-19 11:22:11 +01:00
carla
6dc398fa5a refactor: reduce complexity 2026-01-15 17:00:17 +01:00
carla
0673684cc1 test: adds tests for header normalization 2026-01-15 16:11:02 +01:00
carla
3bbe9895ee fix: improve CSV parser error handling 2026-01-15 11:08:22 +01:00
carla
31cf07c071 test: updated tests 2026-01-15 10:10:14 +01:00
carla
4b41ab37bb Merge branch 'main' into feature/330_import_service_skeleton 2026-01-14 12:30:40 +01:00
carla
aa3fb0c49b fix linting 2026-01-14 10:48:36 +01:00
carla
aa62e03409 skip test for now
Some checks failed
continuous-integration/drone/push Build is failing
Details
2026-01-14 09:11:44 +01:00
Moritz
70729bdd73
Fix: HasPermission auto_filter and strict_check implementation 
Fixes security issue where auto_filter returned nil instead of proper
filter expressions, which could lead to incorrect authorization behavior.
 2026-01-13 15:01:54 +01:00
Moritz
93190d558f
test: add Member resource policy tests 2026-01-13 15:01:53 +01:00
carla
cc6d72b6b1 feat: add service skeleton and tests
Some checks failed
continuous-integration/drone/push Build is failing
Details
2026-01-13 11:44:40 +01:00