mitgliederverwaltung

local-it/mitgliederverwaltung

Fork 0

Commit graph

Author	SHA1	Message	Date
Moritz	4d3a64c177	Add Role resource policies (defense-in-depth) - PermissionSets: Role read :all for own_data, read_only, normal_user; admin keeps full CRUD - Role resource: authorizers and policies with HasPermission - Tests: role_policies_test.exs (read all, create/update/destroy admin only) - Fix existing tests to pass actor or authorize?: false for Role operations	2026-02-04 14:07:38 +01:00
Moritz	faee780aab	Tests: read_only/normal_user /users/:id, Ash.read! actor, Authorization own/other All checks were successful continuous-integration/drone/push Build is passing Details - Integration: read_only and normal_user GET /users/:id (own) and edit/show/edit return 200 - Integration: read_only GET /users/:id (other) redirects - Plug test: use group_fixture in setup instead of Ash.read!() without actor - Authorization: tests for own/other profile and reserved 'new'	2026-01-30 10:22:34 +01:00
Moritz	ff9c8d2d64	feat: add UI-level authorization helpers Implement MvWeb.Authorization module with can?/3 and can_access_page?/2 functions for conditional rendering in LiveView templates. - can?/3 supports both resource atoms and record structs with scope checking - can_access_page?/2 checks page access permissions - All functions use PermissionSets module for consistency with backend - Graceful handling of nil users and invalid permission sets - Comprehensive test coverage with 17 test cases	2026-01-08 16:16:53 +01:00

Author

SHA1

Message

Date

Moritz

4d3a64c177

Add Role resource policies (defense-in-depth)

- PermissionSets: Role read :all for own_data, read_only, normal_user; admin keeps full CRUD
- Role resource: authorizers and policies with HasPermission
- Tests: role_policies_test.exs (read all, create/update/destroy admin only)
- Fix existing tests to pass actor or authorize?: false for Role operations

2026-02-04 14:07:38 +01:00

Moritz

faee780aab

Tests: read_only/normal_user /users/:id, Ash.read! actor, Authorization own/other

continuous-integration/drone/push Build is passing

Details

- Integration: read_only and normal_user GET /users/:id (own) and edit/show/edit return 200
- Integration: read_only GET /users/:id (other) redirects
- Plug test: use group_fixture in setup instead of Ash.read!() without actor
- Authorization: tests for own/other profile and reserved 'new'

2026-01-30 10:22:34 +01:00

Moritz

ff9c8d2d64

feat: add UI-level authorization helpers

Implement MvWeb.Authorization module with can?/3 and can_access_page?/2
functions for conditional rendering in LiveView templates.

- can?/3 supports both resource atoms and record structs with scope checking
- can_access_page?/2 checks page access permissions
- All functions use PermissionSets module for consistency with backend
- Graceful handling of nil users and invalid permission sets
- Comprehensive test coverage with 17 test cases

2026-01-08 16:16:53 +01:00

3 commits