556 commits

Author	SHA1	Message	Date
carla	3f8797c356	feat: import custom fields via CSV	2026-02-02 11:42:07 +01:00
Moritz	6e13a3aa34	Docs: note User-Member Linking enforcement in code ... - update_user restricted via ActorIsAdmin; Form gates Member-Linking UI	2026-01-30 11:28:41 +01:00
Moritz	06d6531569	UserLive.Form: gate Member-Linking to admin, use :update for non-admin ... - Show Member-Linking UI only when can_manage_member_linking (admin) - perform_member_link_action runs only for admin - assign_form: non-admin uses :update (email), admin uses :update_user - Load members for linking only when can_manage_member_linking	2026-01-30 11:13:28 +01:00
Moritz	14fa873640	Restrict User.update_user to admin; allow :update for email only ... - Add ActorIsAdmin policy check (admin permission set only) - User: policy action(:update_user) forbid_unless + authorize_if ActorIsAdmin - User: primary :update action accept [:email] for non-admin profile edit	2026-01-30 11:13:23 +01:00
Moritz	a1fe36b7f2	Delegate can_access_page? to CheckPagePermission ... - UI uses same rules as plug (reserved 'new', own/linked path checks)	2026-01-30 10:22:31 +01:00
Moritz	d318dad612	Add /users/:id (own) and /members/:id/show/edit for redirect and normal_user ... - read_only and normal_user: allow /users/:id, /users/:id/edit, /users/:id/show/edit (own only) - normal_user: allow /members/:id/show/edit - Fixes redirect loop when sidebar links to profile	2026-01-30 10:22:27 +01:00
Moritz	b55f356762	fix: handle nil member in MembershipFeeHelpers ... - get_last_completed_cycle/2 and get_current_cycle/2 return nil when member is nil. - Avoids FunctionClauseError when MemberLive.Show receives no member (e.g. after redirect or policy filter). Add unit tests for nil member.	2026-01-30 00:00:32 +01:00
Moritz	626e8a872e	feat: restrict own_data to profile and linked member pages ... - Remove "/" from own_data pages (Mitglied redirected to profile at root). - Add /users/:id, /users/:id/edit, /users/:id/show/edit and member edit pages for own_data so members can access own profile and linked member only.	2026-01-30 00:00:31 +01:00
Moritz	b10b9c893c	feat: add CheckPagePermission plug for page-level authorization ... - Plug checks PermissionSets page list; redirects unauthorized to profile or sign-in. - Router: add plug to :browser pipeline; LiveHelpers: check_page_permission_on_params for client-side navigation (push_patch).	2026-01-30 00:00:31 +01:00
simon	d7f6d1c03c	Merge pull request 'Change Logo closes #385' (#389) from feature/385-mila-logo into main ... Reviewed-on: #389	2026-01-29 16:20:34 +01:00
Moritz	5a2f035ecc	CustomField policies: actor required, no system-actor fallback, error handling ... - list_required_custom_fields: require actor (two clauses, no default) - Member validation: use context.actor only, differentiate Forbidden vs transient errors - stream_custom_fields: log + send flash on error instead of returning [] - GlobalSettingsLive: handle_info for custom_fields_load_error, put_flash - Seeds: use Membership.update_member with actor, format	2026-01-29 16:10:12 +01:00
Moritz	9a7622ebed	fix: pass actor to CustomFieldLive.FormComponent for save ... IndexComponent now passes actor to FormComponent; FormComponent uses assigns[:actor] instead of current_actor(socket). Add test that submits new custom field form on settings page.	2026-01-29 16:10:12 +01:00
Moritz	1d17c4f2dd	fix: CustomField policies, no system-actor fallback, guidelines ... - Tests and UI pass actor for CustomField create/read/destroy; seeds use actor - Member required-custom-fields validation uses context.actor only (no fallback) - CODE_GUIDELINES: add rule forbidding system-actor fallbacks	2026-01-29 16:10:12 +01:00
Moritz	36b5d5880b	Add CustomField resource policies and tests ... - Add policies block with HasPermission for read/create/update/destroy - Add authorizers: [Ash.Policy.Authorizer] to CustomField resource - Add custom_field_policies_test.exs (read all roles, write admin only) - Fix CustomField path in roles-and-permissions doc (lib/membership)	2026-01-29 16:10:12 +01:00
Simon	8fa337bd81	feat: change logo	2026-01-29 15:55:15 +01:00
Simon	b4adf63e83	feix: optimize queries for groups	2026-01-29 15:22:40 +01:00
Simon	124ab295a6	fix: select all checkbox handling	2026-01-29 15:14:36 +01:00
Simon	bb7e3cbe77	fix: make sure all tests run	2026-01-29 14:49:39 +01:00
Simon	59aefe9521	fix: minor bugs	2026-01-28 10:45:05 +01:00
Simon	ddc8335cc0	refactor: improve groups LiveView based on code review feedback	2026-01-28 10:33:27 +01:00
Simon	3eb4cde0b7	Merge remote-tracking branch 'origin/main' into feature/372-groups-management	2026-01-27 23:48:31 +01:00
Simon	9991291b2f	test: adapt tests to reflect implementation details	2026-01-27 23:40:12 +01:00
Simon	5e0b6580ae	refactor: fix credo warnings, update gettext	2026-01-27 22:32:37 +01:00
Simon	05c81af6e9	feat: add groups to sidebar #372	2026-01-27 22:05:21 +01:00
Simon	6faa9847f4	feat: add groups administration #372	2026-01-27 21:55:17 +01:00
Moritz	2b4e1e3963	Sync user email to member when changing password (admin_set_password) ... Add SyncUserEmailToMember change to admin_set_password so email+password updates in the user form sync the new email to the linked member.	2026-01-27 17:58:35 +01:00
Moritz	cbcb93418e	feat(user_live): handle system user in form and show ... Early return / load_user_or_redirect, use system_user? to avoid editing system actor.	2026-01-27 17:39:04 +01:00
Moritz	d98b32af8d	feat(accounts): block update/destroy on system-actor user ... Validation prevents modifying system actor user (required for internal ops).	2026-01-27 17:39:04 +01:00
Moritz	7d33acde9f	feat(system_actor): add system_user?/1 and normalize email ... Case-insensitive email comparison for system-actor detection.	2026-01-27 17:39:04 +01:00
Moritz	41bc031cc6	refactor(web): extract format_ash_error to MvWeb.ErrorHelpers ... Use shared ErrorHelpers in UserLive.Index for consistent Ash error formatting.	2026-01-27 17:39:04 +01:00
Moritz	8ad5201e1a	Hide system actor from user list and block show/edit ... Index: filter out SystemActor.system_user_email() in query. Show/Form: redirect to /users with flash when viewing or editing system actor user. Index format_error: handle Ash errors without :message field.	2026-01-27 17:39:04 +01:00
Moritz	b7f37c80bd	Prevent deletion of system actor user ... Add destroy validation and explicit destroy action (primary, require_atomic? false). Validation blocks destroy when email == SystemActor.system_user_email().	2026-01-27 17:39:04 +01:00
simon	5df1da1573	Merge branch 'main' into feature/371-groups-resource	2026-01-27 17:16:34 +01:00
Simon	e92c98b559	refactor: fix review issues - member_count aggregate, migration down, docs, actor handling	2026-01-27 17:09:07 +01:00
Simon	fc8306cfee	test: resolve warnings	2026-01-27 16:38:17 +01:00
Moritz	4d3a249b0c	HasPermission: remove unused _authorizer from strict_check helper	2026-01-27 16:07:01 +01:00
Moritz	3f95a2dd84	CustomFieldValue: remove unused require Ash.Query	2026-01-27 16:07:01 +01:00
Moritz	7153af23ee	CustomFieldValueCreateScope: use get_argument_or_attribute for member_id ... - Read member_id via Ash.Changeset.get_argument_or_attribute/2 so it works when set as attribute or argument - Remove unused require Logger - Document member_id source in moduledoc	2026-01-27 16:07:01 +01:00
Moritz	bf2d0352c1	Add authorization policies to CustomFieldValue resource ... - Authorizer and policies: bypass for read (member_id == actor.member_id), CustomFieldValueCreateScope for create, HasPermission for read/update/destroy. - HasPermission: pass authorizer into strict_check helper; document that create must use a dedicated check (no filter).	2026-01-27 16:07:01 +01:00
Moritz	c7c6b318ac	Add CustomFieldValueCreateScope check for create actions ... Ash cannot apply filters to create; this check enforces :linked/:all scope via strict_check only (no filter).	2026-01-27 16:07:01 +01:00
Moritz	8f5f69744c	Add CustomFieldValue create/destroy :linked to own_data permission set ... Allows members to create and delete custom field values for their linked member.	2026-01-27 16:07:01 +01:00
Simon	6db64bf996	feat: add groups resource #371	2026-01-27 16:03:21 +01:00
Moritz	5195fd0d45	Fix missing max_errors assign in GlobalSettingsLive ... Set max_errors as socket assign in mount/3 to make it available in templates. Fixes KeyError in CSV import UI.	2026-01-25 18:36:33 +01:00
Moritz	1d0ac6d280	Improve CSV import error messages ... Include email address in duplicate email error messages. Add German translation for email uniqueness errors. Ensure locale is set for translations in async tasks.	2026-01-25 18:33:28 +01:00
Moritz	5acb5e304d	Fix CSV upload file reading ... Handle consume_uploaded_entries returning [content] directly instead of [{:ok, content}]. Add locale support for translations in background tasks.	2026-01-25 18:33:27 +01:00
Moritz	562265f212	Security: Require actor parameter in CSV import ... Remove fallback to system_actor in process_chunk to prevent unauthorized access. Actor must now be explicitly provided.	2026-01-25 18:33:25 +01:00
carla	79361c72d2	fix tests and linting	2026-01-25 17:31:49 +01:00
carla	b841c306fc	formatting	2026-01-25 17:31:49 +01:00
carla	0fe4a55e80	formatting and refactoring	2026-01-25 17:31:48 +01:00
carla	bf7e47ce5c	refactor	2026-01-25 17:31:42 +01:00