local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions
906 commits 13 branches 0 tags 7.9 MiB
Commit graph

13 commits

Author SHA1 Message Date
Moritz
f2def20fce Add centralized Actor.ensure_loaded helper 
Consolidate role loading logic from HasPermission and LiveHelpers.
Use Ash.Resource.Info.resource? for reliable Ash detection.
 2026-01-22 22:37:07 +01:00
Moritz
05c71132e4 Replace NoActor runtime Mix.env with compile-time config 
Use Application.compile_env for release-safety.
Config only set in test.exs (defaults to false).
 2026-01-22 22:37:04 +01:00
Moritz
56144a7696 Add role loading fallback to HasPermission check 
Extract ash_resource? helper to reduce nesting depth.
Add ensure_role_loaded fallback for unloaded actor roles.
 2026-01-22 21:36:10 +01:00
Moritz
93216f3ee6 Harden NoActor check with runtime environment guard 
Add Mix.env() check to match?/3 for defense in depth.
Document NoActor pattern in CODE_GUIDELINES.md.
 2026-01-22 21:36:09 +01:00
Moritz
429042cbba feat(auth): add User resource authorization policies 
Implement bypass for READ + HasPermission for UPDATE pattern
Extend HasPermission check to support User resource scope :own
 2026-01-22 19:19:22 +01:00
Moritz
dc3268cbf4
Fix: Update comment in auto_filter to reflect expr(false) usage 
Update comment from 'id IN [] = never matches' to 'expr(false) = match none'
to match the actual implementation of deny_filter().
 2026-01-13 15:01:56 +01:00
Moritz
c95a6fac69
Improve: Make deny_filter robust and add regression test 
- Change deny_filter from [id: {:in, []}] to expr(false)
- Add regression test to ensure deny-filter matches 0 records
 2026-01-13 15:01:55 +01:00
Moritz
42a463f422
Security: Fix critical deny-filter bug and improve authorization 
CRITICAL FIX: Deny-filter was allowing all records instead of denying
Fix: User validation in Member now uses actor from changeset.context
 2026-01-13 15:01:55 +01:00
Moritz
6846363132
Refactor: NoActor to SimpleCheck with compile-time environment check 
This prevents security issues where :create/:read without actor would
be allowed in production. Now all operations require an actor in production.
 2026-01-13 15:01:54 +01:00
Moritz
70729bdd73
Fix: HasPermission auto_filter and strict_check implementation 
Fixes security issue where auto_filter returned nil instead of proper
filter expressions, which could lead to incorrect authorization behavior.
 2026-01-13 15:01:54 +01:00
Moritz
4192922fd3
feat: implement authorization policies for Member resource 2026-01-13 15:01:53 +01:00
Moritz
db0a187058
fix: correct relationship filter paths in HasPermission check
All checks were successful
continuous-integration/drone/push Build is passing
Details 
- Use user.id instead of user_id for Member linked scope
- Use member.user.id for CustomFieldValue linked scope
- Add lazy logger evaluation
- Improve action nil handling
- Add integration tests for filter expressions
 2026-01-08 17:45:02 +01:00
Moritz
288002f404 feat: implement HasPermission policy check
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Implement custom Ash Policy Check that reads permissions from
PermissionSets module and applies scope filters to Ash queries.
 2026-01-08 16:48:43 +01:00