dbd79075f5
Pass actor parameter through cycle generation
...
Extract actor from changeset context in Member hooks and pass it
through all cycle generation functions to ensure proper authorization.
2026-01-13 15:15:59 +01:00
01cc5aa3a1
Add current_actor/1 helper for consistent actor access
...
Provides a single function to access current_user from socket assigns
across all LiveViews, ensuring consistent access pattern.
2026-01-13 15:15:59 +01:00
075a06ba6f
Refactor test setup: use global setup and fix MembershipFees domain alias
...
- Remove redundant setup blocks from member_live tests
- Add build_unauthenticated_conn helper for AuthController tests
- Add global setup in conn_case.ex
2026-01-13 15:15:56 +01:00
bc87893134
Integrate Member policies in LiveViews
...
- Add on_mount hook to ensure user role is loaded in all Member LiveViews
- Pass actor parameter to all Ash operations (read, get, create, update, destroy, load)
2026-01-13 15:12:24 +01:00
dc3268cbf4
Fix: Update comment in auto_filter to reflect expr(false) usage
...
Update comment from 'id IN [] = never matches' to 'expr(false) = match none'
to match the actual implementation of deny_filter().
2026-01-13 15:01:56 +01:00
c95a6fac69
Improve: Make deny_filter robust and add regression test
...
- Change deny_filter from [id: {:in, []}] to expr(false)
- Add regression test to ensure deny-filter matches 0 records
2026-01-13 15:01:55 +01:00
42a463f422
Security: Fix critical deny-filter bug and improve authorization
...
CRITICAL FIX: Deny-filter was allowing all records instead of denying
Fix: User validation in Member now uses actor from changeset.context
2026-01-13 15:01:55 +01:00
b3eb6c9223
Docs: Correct :linked scope documentation
2026-01-13 15:01:55 +01:00
4fffeeaaa0
Fix: Seeds use admin actor instead of NoActor bypass
...
This ensures seeds work correctly with the new fail-closed NoActor
policy in production, using proper authorization instead of bypass.
2026-01-13 15:01:55 +01:00
6846363132
Refactor: NoActor to SimpleCheck with compile-time environment check
...
This prevents security issues where :create/:read without actor would
be allowed in production. Now all operations require an actor in production.
2026-01-13 15:01:54 +01:00
70729bdd73
Fix: HasPermission auto_filter and strict_check implementation
...
Fixes security issue where auto_filter returned nil instead of proper
filter expressions, which could lead to incorrect authorization behavior.
2026-01-13 15:01:54 +01:00
4192922fd3
feat: implement authorization policies for Member resource
2026-01-13 15:01:53 +01:00
93190d558f
test: add Member resource policy tests
2026-01-13 15:01:53 +01:00
22d50d6c46
Merge pull request 'add CSV teplate closes #329 ' ( #347 ) from feature/329_csv_specification into main
...
continuous-integration/drone/push Build is passing
Reviewed-on: #347
2026-01-13 11:02:52 +01:00
469c4c0c1d
i18n: update translations
continuous-integration/drone/push Build is passing
2026-01-13 10:55:09 +01:00
6fe75db56d
formatting
continuous-integration/drone/push Build is failing
2026-01-13 10:50:33 +01:00
35895ac7fd
fix tests
continuous-integration/drone/push Build is failing
2026-01-13 10:48:44 +01:00
720a43a38c
feat: added csv templates
continuous-integration/drone/push Build is failing
2026-01-12 17:36:15 +01:00
3fd6410bb4
style: fix linting
continuous-integration/drone/push Build is failing
2026-01-12 15:37:58 +01:00
a1b0f65233
Merge pull request 'Add sidebar' ( #260 ) from sidebar into main
...
continuous-integration/drone/push Build is failing
Reviewed-on: #260
2026-01-12 15:17:28 +01:00
8a1b14fc79
fix: fix tests and remove navbar remainings
continuous-integration/drone/push Build is failing
2026-01-12 15:16:31 +01:00
30805b07ca
chore: remove compose incompatibility with wsl2
continuous-integration/drone/push Build is failing
2026-01-12 14:16:08 +01:00
e7515b5450
Merge remote-tracking branch 'origin/main' into sidebar
2026-01-12 14:15:12 +01:00
06a05fcaad
Merge pull request 'Implements settings for member fields closes #223 ' ( #300 ) from feature/223_memberfields_settings into main
...
continuous-integration/drone/push Build is passing
Reviewed-on: #300
2026-01-12 13:24:52 +01:00
922f9f93d0
Merge branch 'main' into feature/223_memberfields_settings
continuous-integration/drone/push Build is passing
2026-01-12 13:15:40 +01:00
77908a1467
fix tests
continuous-integration/drone/push Build is passing
2026-01-12 11:45:44 +01:00
e38de7d690
chore: rename custom to data field in the UI
continuous-integration/drone/push Build is failing
2026-01-12 09:50:51 +01:00
35aff50bea
Merge pull request 'Custom Policy Check - HasPermission closes #343 ' ( #344 ) from feature/343_haspermission into main
...
continuous-integration/drone/push Build is passing
Reviewed-on: #344
2026-01-08 18:05:14 +01:00
db0a187058
fix: correct relationship filter paths in HasPermission check
...
continuous-integration/drone/push Build is passing
- Use user.id instead of user_id for Member linked scope
- Use member.user.id for CustomFieldValue linked scope
- Add lazy logger evaluation
- Improve action nil handling
- Add integration tests for filter expressions
2026-01-08 17:45:02 +01:00
288002f404
feat: implement HasPermission policy check
...
continuous-integration/drone/push Build is passing
Implement custom Ash Policy Check that reads permissions from
PermissionSets module and applies scope filters to Ash queries.
2026-01-08 16:48:43 +01:00
cba471dcac
test: add tests for HasPermission policy check
...
Add comprehensive test suite for the HasPermission Ash Policy Check
covering permission lookup, scope application, error handling, and logging.
2026-01-08 16:48:42 +01:00
05b611d880
Merge pull request 'Role CRUD LiveViews closes #325 ' ( #326 ) from feature/325_role_view into main
...
continuous-integration/drone/push Build is passing
Reviewed-on: #326
2026-01-08 16:21:40 +01:00
68c09b761e
perf: optimize load_user_counts with DB-side aggregation
...
continuous-integration/drone/push Build is passing
Replace Elixir-side counting with Ecto GROUP BY COUNT query for
better performance. This avoids loading all users into memory and
performs the aggregation directly in the database.
2026-01-08 16:20:27 +01:00
5ac9ab7ff9
refactor: add opts_with_actor helper and improve error formatting
...
Add opts_with_actor helper function to reduce duplication when building
Ash options with actor and domain. Improve format_error documentation
and ensure consistent error message formatting.
2026-01-08 16:20:27 +01:00
34afe798ec
fix: use verified routes in navbar and improve can_access_page?
...
Use ~p verified routes instead of string paths in navbar template.
Update can_access_page? to handle both string and verified route paths
for better type safety.
2026-01-08 16:20:27 +01:00
ad0a3cd458
fix: add ensure_user_role_loaded to router live_session globally
2026-01-08 16:20:27 +01:00
675ab14fce
fix: correct German translations for role management
...
Fix incorrect translations:
- 'Listing Roles' -> 'Rollen auflisten' (was 'Benutzer*innen auflisten')
- 'Custom' -> 'Benutzerdefiniert' (was 'Benutzerdefinierte Felder')
2026-01-08 16:20:27 +01:00
59d656a07c
fix: add authorization check for Roles link in navbar
...
Only show Roles link in Settings dropdown for users with admin
permissions, preventing unauthorized access attempts.
2026-01-08 16:20:26 +01:00
32296625fe
refactor: extract shared helpers for RoleLive modules
...
Extract format_error and permission_set_badge_class functions into
MvWeb.RoleLive.Helpers module to eliminate code duplication between
Index and Show LiveViews.
2026-01-08 16:20:26 +01:00
e3cd400899
fix: add actor parameter to Ash.load in LiveHelpers
...
Use self as actor when loading user role relationship to ensure
proper authorization and policy enforcement.
2026-01-08 16:20:26 +01:00
d9dd936ae3
fix: add actor and domain parameters to user count functions in Show
...
Add actor and domain parameters to recalculate_user_count and
load_user_count to ensure consistent authorization. Clarify that
load_user_count is for initial display while recalculate_user_count
is for fresh count before deletion.
2026-01-08 16:20:26 +01:00
548bad6703
fix: add actor and domain parameters to user count functions
...
Add actor parameter to load_user_counts and recalculate_user_count
in Index LiveView to ensure consistent authorization and policy
enforcement. Also add domain parameter for clarity.
2026-01-08 16:20:25 +01:00
37a2fc3e83
refactor: replace cond with if in handle_delete_role functions
2026-01-08 16:20:25 +01:00
75ab046be4
refactor: extract ensure_user_role_loaded into shared on_mount hook
...
Move duplicate ensure_user_role_loaded logic into MvWeb.LiveHelpers
on_mount hook to eliminate code duplication across RoleLive modules
and centralize security-related user role loading.
2026-01-08 16:20:25 +01:00
ac67b8073d
fix: eliminate duplicate user_count queries in delete handlers
...
Calculate user_count once and reuse the value instead of calling
recalculate_user_count twice, reducing unnecessary database queries.
2026-01-08 16:20:25 +01:00
83812193b6
fix: add actor parameter to Authorization.get_role in Index
...
Ensure consistent authorization by passing actor parameter to
get_role call, matching the pattern used in Show LiveView.
2026-01-08 16:20:24 +01:00
03c1f747c5
chore: update gettext files and test cleanup
...
Update translation files after code changes and remove unused
debug logging code from tests.
2026-01-08 16:20:22 +01:00
8d36c0b02c
fix: use reraise instead of raise in rescue blocks
...
Replace raise with reraise to preserve the original stacktrace when
re-raising exceptions in rescue blocks, improving error debugging.
2026-01-08 16:19:49 +01:00
54c825bac3
refactor: reduce nesting depth in RoleLive handle_event functions
2026-01-08 16:19:49 +01:00
b638a54bd6
feat: prevent deletion of roles with assigned users
2026-01-08 16:19:47 +01:00
