5ed41555e9
Member/Setting/validations: domain, actor, and seeds
...
- setting.ex: domain/authorize for default_membership_fee_type_id check
- validate_same_interval: require membership_fee_type (no None)
- set_membership_fee_start_date: domain/actor for fee type lookup
- Validations: domain/authorize for cross-resource checks
- helpers.ex, email_sync change, seeds.exs actor/authorize fixes
- Update related tests
2026-02-03 23:52:16 +01:00
5889683854
Add resource policies for Group, MemberGroup, MembershipFeeType, MembershipFeeCycle
...
- Group/MemberGroup/MembershipFeeType/MembershipFeeCycle: HasPermission policy
- normal_user: Group and MembershipFeeCycle create/update/destroy; pages /groups/new, /groups/:slug/edit
- Add policy tests for all four resources
2026-02-03 23:52:12 +01:00
4ea31f0f37
Add email-change permission validation for linked members
...
continuous-integration/drone/push Build is passing
Only admins or the linked user may change a linked member's email.
- New validation EmailChangePermission (uses Actor.admin?, Loader.get_linked_user).
- Register on Member update_member; docs and gettext.
2026-02-03 14:35:32 +01:00
5a2f035ecc
CustomField policies: actor required, no system-actor fallback, error handling
...
- list_required_custom_fields: require actor (two clauses, no default)
- Member validation: use context.actor only, differentiate Forbidden vs transient errors
- stream_custom_fields: log + send flash on error instead of returning []
- GlobalSettingsLive: handle_info for custom_fields_load_error, put_flash
- Seeds: use Membership.update_member with actor, format
2026-01-29 16:10:12 +01:00
1d17c4f2dd
fix: CustomField policies, no system-actor fallback, guidelines
...
- Tests and UI pass actor for CustomField create/read/destroy; seeds use actor
- Member required-custom-fields validation uses context.actor only (no fallback)
- CODE_GUIDELINES: add rule forbidding system-actor fallbacks
2026-01-29 16:10:12 +01:00
36b5d5880b
Add CustomField resource policies and tests
...
- Add policies block with HasPermission for read/create/update/destroy
- Add authorizers: [Ash.Policy.Authorizer] to CustomField resource
- Add custom_field_policies_test.exs (read all roles, write admin only)
- Fix CustomField path in roles-and-permissions doc (lib/membership)
2026-01-29 16:10:12 +01:00
ddc8335cc0
refactor: improve groups LiveView based on code review feedback
continuous-integration/drone/push Build is passing
2026-01-28 10:33:27 +01:00
6faa9847f4
feat: add groups administration #372
2026-01-27 21:55:17 +01:00
5df1da1573
Merge branch 'main' into feature/371-groups-resource
continuous-integration/drone/push Build is passing
2026-01-27 17:16:34 +01:00
e92c98b559
refactor: fix review issues - member_count aggregate, migration down, docs, actor handling
continuous-integration/drone/push Build is passing
2026-01-27 17:09:07 +01:00
fc8306cfee
test: resolve warnings
continuous-integration/drone/push Build is passing
2026-01-27 16:38:17 +01:00
3f95a2dd84
CustomFieldValue: remove unused require Ash.Query
2026-01-27 16:07:01 +01:00
bf2d0352c1
Add authorization policies to CustomFieldValue resource
...
- Authorizer and policies: bypass for read (member_id == actor.member_id),
CustomFieldValueCreateScope for create, HasPermission for read/update/destroy.
- HasPermission: pass authorizer into strict_check helper; document that create
must use a dedicated check (no filter).
2026-01-27 16:07:01 +01:00
6db64bf996
feat: add groups resource #371
continuous-integration/drone/push Build is failing
2026-01-27 16:03:21 +01:00
b545d2b9e1
Remove NoActor module, improve Member validation, update docs
2026-01-24 11:59:18 +01:00
9e20766ef2
Use authorize?: false for integrity checks in validations
2026-01-24 02:21:09 +01:00
e72b7ab2e8
Remove NoActor bypass from User and Member policies
...
This removes the NoActor bypass that was masking authorization bugs in tests.
All operations now require an explicit actor for authorization.
2026-01-24 02:12:31 +01:00
079d270768
Fix authorization bypass in seeds and validations
...
continuous-integration/drone/push Build is passing
- Add authorize?: false to all bootstrap operations in seeds.exs
- Fix user-linking validation to respect authorize? context flag
- Prevents authorization errors during initial setup when no actor exists yet
2026-01-23 02:08:11 +01:00
d07f1984cd
Move require Logger to module level
...
continuous-integration/drone/push Build is passing
Move require Logger statements from function/case level to module level
for better code organization and consistency with Elixir best practices
2026-01-21 08:35:34 +01:00
5c3657fed1
Use SystemActor opts for cycle deletion operations
...
Pass actor_opts to delete_cycles/1 to ensure proper authorization
when MembershipFeeCycle policies are enforced
2026-01-21 08:02:32 +01:00
c64b74588f
Use system actor for cycle generation
...
Update cycle generator, member hooks, and job to use system actor.
Remove actor parameters as cycle generation is a mandatory side effect.
2026-01-20 22:09:20 +01:00
9c2cff6307
docs: Update domain Public API documentation
2026-01-20 15:50:08 +01:00
7da037d81d
refactor: adds schemales changeset and validation constant
2026-01-19 11:43:51 +01:00
897677a782
refactor: Replace actor option patterns with ash_actor_opts helper
...
- Replace if actor, do: [actor: actor], else: [] with Mv.Helpers.ash_actor_opts/1
- Update email_sync/loader.ex, member validations, member.ex, cycle_generator.ex
- Consistent actor handling across non-LiveView modules
2026-01-13 15:17:06 +01:00
dbd79075f5
Pass actor parameter through cycle generation
...
Extract actor from changeset context in Member hooks and pass it
through all cycle generation functions to ensure proper authorization.
2026-01-13 15:15:59 +01:00
42a463f422
Security: Fix critical deny-filter bug and improve authorization
...
CRITICAL FIX: Deny-filter was allowing all records instead of denying
Fix: User validation in Member now uses actor from changeset.context
2026-01-13 15:01:55 +01:00
6846363132
Refactor: NoActor to SimpleCheck with compile-time environment check
...
This prevents security issues where :create/:read without actor would
be allowed in production. Now all operations require an actor in production.
2026-01-13 15:01:54 +01:00
4192922fd3
feat: implement authorization policies for Member resource
2026-01-13 15:01:53 +01:00
6311eebb0c
fix linting
continuous-integration/drone/push Build is passing
2026-01-08 11:41:24 +01:00
4a1042ab1a
feat: add atomic update for single member field visibility
2026-01-08 11:28:27 +01:00
38d106a69e
fix: exit date as default hidden column
2026-01-07 12:14:41 +01:00
17540c6b1d
feat: removes phoen number as member field and makes name optional
2026-01-02 16:19:06 +01:00
850f00fe22
formatting
continuous-integration/drone/push Build is passing
2026-01-02 13:53:24 +01:00
08f563a412
Merge branch 'main' into bugfix/274_required_custom_fields
continuous-integration/drone/push Build is failing
2026-01-02 13:47:24 +01:00
5318b2c07d
docs: add typespec for SetDefaultMembershipFeeType.change/3
2025-12-26 21:40:32 +01:00
d02add75ef
fix: convert after_action to after_transaction for cycle generation
...
Replace after_action hooks with after_transaction to ensure async tasks only run after successful commit. Extract common cycle generation logic into handle_cycle_generation/2 to reduce duplication. Add structured error logging with context.
2025-12-26 21:40:22 +01:00
1dd68bcaf2
feat: coherent required boolean handling
continuous-integration/drone/push Build is failing
2025-12-23 18:08:31 +01:00
e3ff3e610c
feat: optimize required custom fields query
2025-12-23 17:01:50 +01:00
2d2865b5a6
feat: improve validation for custom fields
2025-12-23 17:01:21 +01:00
098b3b0a2a
Remove paid field from members
...
Remove paid field from Member resource, database migration,
tests, seeds, and UI. This field is no longer needed as payment
status is now tracked via membership fee cycles.
2025-12-18 15:11:02 +01:00
9a1f0fbfa6
Remove future date validation for join_date
...
Allow join_date to be set in the future. Only validation remaining
is that exit_date must be after join_date.
2025-12-18 15:10:36 +01:00
8f8c3f258a
Reduce function nesting depth
2025-12-18 15:10:36 +01:00
128c712dbc
fix: improve get_last_completed_cycle and fix test helpers
...
- Fix get_last_completed_cycle to find most recent completed cycle
- Fix create_cycle helpers to delete auto-generated cycles first
- Fix Ash.destroy return value handling
- Fix form selectors to use specific IDs
- Fix URL parameter names for filters
- Fix Ash.read_one return value expectations in tests
2025-12-18 15:10:35 +01:00
d720670fd2
fix: address notification handling review feedback
...
1. Fix misleading comment in async create_member path
2. Use skip_lock?: true in test case for create_member
3. Fix generate_cycles_for_all_members/1
2025-12-18 15:00:45 +01:00
c25ffdc034
refactor: implement proper notification handling via after_action hooks
...
Refactor notification handling according to Ash best practices
2025-12-18 15:00:44 +01:00
98b56fc406
fix: resolve notification handling and maintain after_action for cycle regeneration
2025-12-18 15:00:44 +01:00
0783a2fe18
refactor: reduce nesting depth in regenerate_cycles_on_type_change
...
Split the function into smaller, focused functions to reduce nesting depth
2025-12-18 15:00:44 +01:00
66d0c9a702
fix: address code review points for cycle regeneration
...
1. Fix critical notifications bug
2. Fix today inconsistency
3. Add advisory lock around deletion
4. Improve helper function documentation
5. Improve error message UX
2025-12-18 15:00:44 +01:00
d8e9c157bf
fix: prevent deadlocks by detecting existing transactions
2025-12-18 15:00:43 +01:00
69c9746974
fix: make cycle regeneration atomic on type change
...
Make cycle regeneration synchronous in the same transaction as the member
update to ensure atomicity.
2025-12-18 15:00:42 +01:00
