64 commits

Author	SHA1	Message	Date
Moritz	4473cfd372	Tests: use code interface for Member create/update (actor propagation)	2026-01-29 16:10:12 +01:00
Moritz	36b5d5880b	Add CustomField resource policies and tests ... - Add policies block with HasPermission for read/create/update/destroy - Add authorizers: [Ash.Policy.Authorizer] to CustomField resource - Add custom_field_policies_test.exs (read all roles, write admin only) - Fix CustomField path in roles-and-permissions doc (lib/membership)	2026-01-29 16:10:12 +01:00
Moritz	7d33acde9f	feat(system_actor): add system_user?/1 and normalize email ... Case-insensitive email comparison for system-actor detection.	2026-01-27 17:39:04 +01:00
Moritz	9c31f0c16c	Add tests for system actor protection and hiding ... Index: system actor not in list, destroy returns Ash.Error.Invalid. Show/Form: redirect to /users when viewing or editing system actor user.	2026-01-27 17:39:04 +01:00
Moritz	0219073d33	CFV policies test: system_actor for setup, verify destroy with actor ... - create_linked_member_for_user and create_unlinked_member use actor (system_actor) directly instead of creating admin user per call - Remove create_admin_user helper - After destroy, verify with Ash.get(..., actor: actor) to avoid false positive from Forbidden vs NotFound	2026-01-27 16:07:01 +01:00
Moritz	4e032ea778	Add CustomFieldValue policy tests (own_data, read_only, normal_user, admin) ... Covers read/update/create/destroy for linked vs unlinked members and CRUD permissions per permission set.	2026-01-27 16:07:01 +01:00
Moritz	17831a0948	Pass actor to CustomFieldValue destroy and load in existing tests ... Required after CustomFieldValue gained authorization policies.	2026-01-27 16:07:01 +01:00
Moritz	562265f212	Security: Require actor parameter in CSV import ... Remove fallback to system_actor in process_chunk to prevent unauthorized access. Actor must now be explicitly provided.	2026-01-25 18:33:25 +01:00
Moritz	2d446f63ea	Add NOT NULL constraint to users.role_id and optimize default_role_id ... - Add database-level NOT NULL constraint for users.role_id - Update SystemActor tests to verify NOT NULL constraint enforcement - Add process dictionary caching for default_role_id/0 to reduce DB queries	2026-01-25 17:04:48 +01:00
Moritz	8f3fd9d0d7	test: adapt tests for attribute-level default solution	2026-01-25 13:42:45 +01:00
Moritz	b545d2b9e1	Remove NoActor module, improve Member validation, update docs	2026-01-24 11:59:18 +01:00
Moritz	71c13d0ac0	Fix missing actor parameters and restore AshAuthentication bypass tests	2026-01-24 08:51:58 +01:00
Moritz	bebd7f6fe2	Fix tests: Remove redundant system_actor and update test descriptions	2026-01-24 02:21:09 +01:00
Moritz	d8187484b8	Fix tests: Add missing actor parameters to Ash operations	2026-01-24 02:21:09 +01:00
Moritz	b9d68a3417	Fix test helpers: Use actor parameter correctly	2026-01-24 02:21:09 +01:00
Moritz	0f48a9b15a	Add actor parameter to all tests requiring authorization ... This commit adds actor: system_actor to all Ash operations in tests that require authorization.	2026-01-24 02:21:02 +01:00
Moritz	427608578f	Restrict Actor.ensure_loaded to Mv.Accounts.User only ... Pattern match on %Mv.Accounts.User{} instead of generic actor. Clearer intention, prevents accidental authorization bypasses. Non-User actors are returned as-is (no-op).	2026-01-22 23:17:55 +01:00
Moritz	f6096e194f	Remove skipped get_by_subject test, add explanation ... Test removed - JWT flow tested via AshAuthentication integration. Direct test would require JWT mocking without value.	2026-01-22 23:04:58 +01:00
Moritz	e60bb6926f	Remove unused PolicyHelpers macro and PolicyConsistency test ... Dead code - macro was never used in codebase. PolicyConsistency test will be replaced with better implementation.	2026-01-22 22:37:09 +01:00
Moritz	f2def20fce	Add centralized Actor.ensure_loaded helper ... Consolidate role loading logic from HasPermission and LiveHelpers. Use Ash.Resource.Info.resource? for reliable Ash detection.	2026-01-22 22:37:07 +01:00
Moritz	05c71132e4	Replace NoActor runtime Mix.env with compile-time config ... Use Application.compile_env for release-safety. Config only set in test.exs (defaults to false).	2026-01-22 22:37:04 +01:00
Moritz	d97f6f4004	Add policy consistency tests ... Enforce User.update :own across all permission sets. Verify READ bypass + UPDATE HasPermission pattern.	2026-01-22 21:36:19 +01:00
Moritz	7d0f5fde86	Replace for comprehension with explicit describe blocks ... Fix Credo parsing error by removing for comprehension. Duplicate tests for own_data, read_only, normal_user sets.	2026-01-22 21:36:16 +01:00
Moritz	56144a7696	Add role loading fallback to HasPermission check ... Extract ash_resource? helper to reduce nesting depth. Add ensure_role_loaded fallback for unloaded actor roles.	2026-01-22 21:36:10 +01:00
Moritz	93216f3ee6	Harden NoActor check with runtime environment guard ... Add Mix.env() check to match?/3 for defense in depth. Document NoActor pattern in CODE_GUIDELINES.md.	2026-01-22 21:36:09 +01:00
Moritz	63d8c4668d	test(auth): add User policies test suite ... 31 tests covering all 4 permission sets and bypass scenarios Update HasPermission tests to expect false for scope :own without record	2026-01-22 19:19:25 +01:00
Moritz	5eadd5f090	Refactor test setup into helper functions ... Extract setup code into reusable helper functions to reduce duplication and improve maintainability.	2026-01-20 23:16:40 +01:00
Moritz	a3cf8571ff	Document System Actor pattern in code guidelines ... Add section explaining when and how to use system actor for systemic operations. Include examples and distinction between user mode and system mode.	2026-01-20 22:10:11 +01:00
Moritz	f1bb6a0f9a	Add tests for System Actor helper ... Test system actor retrieval, caching, fallback behavior, and auto-creation in test environment.	2026-01-20 22:09:21 +01:00
Moritz	0abcf540bb	refactor: Replace length/1 with empty list comparison ... Replace expensive length/1 calls with direct list comparison to fix Credo warnings about performance	2026-01-20 15:58:15 +01:00
carla	3cbd90ecdd	feat: adds error capping	2026-01-19 12:02:28 +01:00
carla	7da037d81d	refactor: adds schemales changeset and validation constant	2026-01-19 11:43:51 +01:00
carla	8b3cc6a6b2	feat: adds row validation	2026-01-19 11:22:11 +01:00
carla	6dc398fa5a	refactor: reduce complexity	2026-01-15 17:00:17 +01:00
carla	0673684cc1	test: adds tests for header normalization	2026-01-15 16:11:02 +01:00
carla	3bbe9895ee	fix: improve CSV parser error handling	2026-01-15 11:08:22 +01:00
carla	31cf07c071	test: updated tests	2026-01-15 10:10:14 +01:00
carla	4b41ab37bb	Merge branch 'main' into feature/330_import_service_skeleton	2026-01-14 12:30:40 +01:00
carla	aa3fb0c49b	fix linting	2026-01-14 10:48:36 +01:00
carla	aa62e03409	skip test for now	2026-01-14 09:11:44 +01:00
Moritz	c95a6fac69	Improve: Make deny_filter robust and add regression test ... - Change deny_filter from [id: {:in, []}] to expr(false) - Add regression test to ensure deny-filter matches 0 records	2026-01-13 15:01:55 +01:00
Moritz	42a463f422	Security: Fix critical deny-filter bug and improve authorization ... CRITICAL FIX: Deny-filter was allowing all records instead of denying Fix: User validation in Member now uses actor from changeset.context	2026-01-13 15:01:55 +01:00
Moritz	70729bdd73	Fix: HasPermission auto_filter and strict_check implementation ... Fixes security issue where auto_filter returned nil instead of proper filter expressions, which could lead to incorrect authorization behavior.	2026-01-13 15:01:54 +01:00
Moritz	93190d558f	test: add Member resource policy tests	2026-01-13 15:01:53 +01:00
carla	cc6d72b6b1	feat: add service skeleton and tests	2026-01-13 11:44:40 +01:00
Moritz	db0a187058	fix: correct relationship filter paths in HasPermission check ... - Use user.id instead of user_id for Member linked scope - Use member.user.id for CustomFieldValue linked scope - Add lazy logger evaluation - Improve action nil handling - Add integration tests for filter expressions	2026-01-08 17:45:02 +01:00
Moritz	cba471dcac	test: add tests for HasPermission policy check ... Add comprehensive test suite for the HasPermission Ash Policy Check covering permission lookup, scope application, error handling, and logging.	2026-01-08 16:48:42 +01:00
Moritz	18ec4bfd16	fix: add missing /custom_field_values/:id page to read_only and normal_user ... - Add /custom_field_values/:id to read_only pages (users can view list, should also view details) - Add /custom_field_values/:id to normal_user pages - Refactor tests to reduce duplication (use for-comprehension for structure tests) - Add tests for invalid input types in valid_permission_set?/1 - Update @spec for valid_permission_set?/1 to accept any() type	2026-01-06 22:17:33 +01:00
Moritz	7845117fad	refactor: improve error handling and documentation in PermissionSets ... - Add explicit ArgumentError for invalid permission set names with helpful message - Soften performance claim in documentation (intended to be constant-time) - Add tests for error handling - Improve maintainability with guard clause for invalid inputs	2026-01-06 21:55:52 +01:00
Moritz	9b0d022767	fix: add missing /profile page to read_only and normal_user permission sets ... Both permission sets allow User:update :own, so users should be able to access their profile page. This makes the implementation consistent with the documentation and the logical permission model.	2026-01-06 21:55:13 +01:00