14fa873640
Restrict User.update_user to admin; allow :update for email only
...
- Add ActorIsAdmin policy check (admin permission set only)
- User: policy action(:update_user) forbid_unless + authorize_if ActorIsAdmin
- User: primary :update action accept [:email] for non-admin profile edit
2026-01-30 11:13:23 +01:00
2b4e1e3963
Sync user email to member when changing password (admin_set_password)
...
continuous-integration/drone/push Build is passing
Add SyncUserEmailToMember change to admin_set_password so email+password
updates in the user form sync the new email to the linked member.
2026-01-27 17:58:35 +01:00
d98b32af8d
feat(accounts): block update/destroy on system-actor user
...
Validation prevents modifying system actor user (required for internal ops).
2026-01-27 17:39:04 +01:00
b7f37c80bd
Prevent deletion of system actor user
...
Add destroy validation and explicit destroy action (primary, require_atomic? false).
Validation blocks destroy when email == SystemActor.system_user_email().
2026-01-27 17:39:04 +01:00
bdd2e6e103
Fix: Don't cache nil in default_role_id to prevent bootstrap issues
...
continuous-integration/drone/push Build is passing
- Only cache non-nil role_id values to allow retry after role creation
- Prevents processes from being permanently stuck with nil if first call
happens before the 'Mitglied' role exists
- Update documentation to explain bootstrap safety mechanism
2026-01-25 17:11:05 +01:00
2d446f63ea
Add NOT NULL constraint to users.role_id and optimize default_role_id
...
continuous-integration/drone/push Build is passing
- Add database-level NOT NULL constraint for users.role_id
- Update SystemActor tests to verify NOT NULL constraint enforcement
- Add process dictionary caching for default_role_id/0 to reduce DB queries
2026-01-25 17:04:48 +01:00
e7bf777be2
refactor: remove AssignDefaultRole change module
...
The attribute-level default solution makes this change module obsolete.
All role assignment is now handled via the role_id attribute's default
function, which is more robust and works for all creation paths.
2026-01-25 13:42:35 +01:00
6ad777860d
feat: implement attribute-level default for role_id assignment
...
Replace action-level changes with attribute default function to ensure
all users get the 'Mitglied' role regardless of creation path.
2026-01-25 13:41:46 +01:00
0dbbc96353
Integrate AssignDefaultRole change into user creation actions
2026-01-24 19:16:20 +01:00
4b10fd2702
Add AssignDefaultRole change for automatic role assignment
...
- Assigns 'Mitglied' role to new users if no role is set
2026-01-24 19:15:56 +01:00
e72b7ab2e8
Remove NoActor bypass from User and Member policies
...
This removes the NoActor bypass that was masking authorization bugs in tests.
All operations now require an explicit actor for authorization.
2026-01-24 02:12:31 +01:00
bad4e5ca7c
Fix OIDC login by using SystemActor in OidcEmailCollision validation
...
- Add SystemActor to Ash.read_one() calls in OidcEmailCollision validation
- Prevents authorization failures during OIDC registration when no actor is logged in
- Enables proper email collision detection and account linking flow
2026-01-23 02:12:53 +01:00
797452a76e
Shorten User policy comments to state what only
...
Move why explanations to documentation files.
Keep policy comments concise and focused.
2026-01-22 21:36:12 +01:00
429042cbba
feat(auth): add User resource authorization policies
...
Implement bypass for READ + HasPermission for UPDATE pattern
Extend HasPermission check to support User resource scope :own
2026-01-22 19:19:22 +01:00
9c2cff6307
docs: Update domain Public API documentation
2026-01-20 15:50:08 +01:00
7da037d81d
refactor: adds schemales changeset and validation constant
2026-01-19 11:43:51 +01:00
5f13901ca5
security: remove is_system_role from public API
...
Remove is_system_role from accept lists in create_role and update_role
actions. This field should only be set via seeds or internal actions to
prevent users from creating unkillable roles through the public API.
2026-01-06 19:04:03 +01:00
deacc43030
docs: document FK constraint behavior for role relationship
...
Add comment explaining on_delete: :restrict behavior for
users.role_id foreign key constraint.
2026-01-06 18:37:37 +01:00
90c32c2afd
feat: add role relationship to User resource
...
Add belongs_to :role relationship to User resource and register
Authorization domain in config.
2026-01-06 17:18:33 +01:00
9cda832b82
fix: request scopes email and profile
continuous-integration/drone/push Build is passing
2025-12-03 22:02:23 +01:00
613a5f2643
feat: support email scope to retrieve oidc info
continuous-integration/drone/push Build is passing
2025-12-03 21:51:12 +01:00
55fb845855
refactor: small changes from PR review
continuous-integration/drone/push Build is passing
2025-11-13 16:33:29 +01:00
5ce220862f
refactor and docs
2025-11-13 16:33:29 +01:00
293e85334f
fix oidc security bug
2025-11-13 16:33:29 +01:00
001fca1d16
refactor: email sync changes
2025-10-23 13:13:28 +02:00
39afaf3999
feat: email uniqueness constraint between user and member
2025-10-23 13:13:27 +02:00
5a0a261cd6
add action changes for email sync
2025-10-23 13:13:27 +02:00
7c1aeddad4
add constraints for member-user and member-property
2025-10-16 15:28:31 +02:00
59a8067c09
add some comments
2025-10-16 15:28:30 +02:00
3b0c1da1ab
User email validation
2025-10-16 13:54:57 +02:00
cde619543f
translate all error messages
2025-10-16 13:54:07 +02:00
72a8415cb3
feat: member user relation
2025-10-16 12:30:01 +02:00
a3746dfaaa
Explicitly require ash authentication settings
...
Previously, we'd rely on defaults for configuring user token
authentication. With these changes, we explicitly require
:session_identifier and :require_token_presence_for_authentication to be
configured in the application environment to make sure the system is
configured the way it should be.
2025-09-11 11:49:46 +02:00
dd77be0388
Add seed script for admin user
2025-08-15 10:11:12 +02:00
8507109631
feat: test authentication
continuous-integration/drone/push Build is passing
2025-07-31 14:18:36 +02:00
6907b2ed3c
feat: fail if oidc provide does not provide a sub or id
2025-07-31 14:18:36 +02:00
06574a932d
fix: formatting
continuous-integration/drone/push Build is passing
2025-07-24 17:07:20 +02:00
33d4fa66c8
fix: update email field given by oidc provider
2025-07-24 17:07:20 +02:00
662e80cc74
feat: set password for new and for existing user
2025-07-24 17:07:20 +02:00
df9966bb12
feat: account live view - basic functionality
2025-07-24 17:07:20 +02:00
681db5dc71
fix: set oidc_id from user_info["sub"]
2025-07-24 17:07:20 +02:00
5287a20b98
feat: activate ash_admin for Accounts and Membershiop domain
continuous-integration/drone/push Build is passing
2025-07-24 12:38:21 +02:00
cbcd8904b3
fix: deprication warings
2025-07-09 17:19:17 +02:00
fba9abc2c1
test(AshAuthentication): updated tests for signed in user and added test for authcontroller
2025-07-02 17:03:37 +02:00
c7b13c0ecb
format: formated files
2025-07-02 17:03:37 +02:00
cc51763a6e
review(env): shift secret to env file and added logger
2025-07-02 17:03:37 +02:00
565aaddd94
feat(secrets): updated as recommended in ashauthentication docs
2025-07-02 17:03:37 +02:00
7bfde5e230
doc: added comments and updated to latest ashautentication version and required changes
2025-07-02 17:03:37 +02:00
a6fcaa1640
feaut(oicd_provider): added oicd provider rauthy and strategy for authentication
2025-07-02 17:03:37 +02:00
192ceaed45
chore(AshAuthenticationPhoenix): added library and updated ressources testing password strategy
2025-07-02 17:03:37 +02:00
