- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk.
- seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test.
- Fix DE translation for 'access this page'; add get? true comment in User.
- sign_in_with_rauthy: get? true so Ash returns single user; pass oauth_tokens to OidcRoleSync.
- register_with_rauthy: pass oauth_tokens to OidcRoleSync; return {:ok, record} to preserve token.
Register and sign-in call apply_admin_role_from_user_info; users in configured
admin group get Admin role, others get Mitglied. Internal User action + bypass policy.
- Last-admin only when target role is non-admin (admins may switch admin roles).
- Use Ash.Changeset.get_attribute for new role_id. Tests: admin role switch, non-admin update_user role_id forbidden.
- Only cache non-nil role_id values to allow retry after role creation
- Prevents processes from being permanently stuck with nil if first call
happens before the 'Mitglied' role exists
- Update documentation to explain bootstrap safety mechanism
- Add database-level NOT NULL constraint for users.role_id
- Update SystemActor tests to verify NOT NULL constraint enforcement
- Add process dictionary caching for default_role_id/0 to reduce DB queries
The attribute-level default solution makes this change module obsolete.
All role assignment is now handled via the role_id attribute's default
function, which is more robust and works for all creation paths.
- Add SystemActor to Ash.read_one() calls in OidcEmailCollision validation
- Prevents authorization failures during OIDC registration when no actor is logged in
- Enables proper email collision detection and account linking flow
Remove is_system_role from accept lists in create_role and update_role
actions. This field should only be set via seeds or internal actions to
prevent users from creating unkillable roles through the public API.
Previously, we'd rely on defaults for configuring user token
authentication. With these changes, we explicitly require
:session_identifier and :require_token_presence_for_authentication to be
configured in the application environment to make sure the system is
configured the way it should be.
