local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 72 Pull requests 3 Projects 4 Releases Packages 1 Activity Actions

[FEATURE]: Member Resource Policies #345

New issue
Closed
opened 2026-01-08 17:13:34 +01:00 by moritz · 0 comments
moritz commented 2026-01-08 17:13:34 +01:00
Owner
Copy link

Description:

Add authorization policies to the Member resource using the new HasPermission check.

Tasks:

  1. Open lib/mv/membership/member.ex
  2. Add policies block at top of resource (before actions)
  3. Configure policy to Mv.Authorization.Checks.HasPermission
  4. Add policy for each action:
    • :read → check HasPermission for :read
    • :create → check HasPermission for :create
    • :update → check HasPermission for :update
    • :destroy → check HasPermission for :destroy
  5. Add special policy: Allow user to read/update their linked member (before general policy) 
    policy action_type(:read) do
  authorize_if expr(user_id == ^actor(:id))
end
  6. Ensure policies load actor with :role relationship preloaded
  7. Test policies with different actors

Policy Order (Critical!):

  1. Allow user to access their own linked member (most specific)
  2. Check HasPermission (general authorization)
  3. Default: Forbid

Acceptance Criteria:

  • Policies block added to Member resource
  • All CRUD actions protected by HasPermission
  • Special case: User can always access linked member
  • Policy order is correct (specific before general)
  • Actor preloads :role relationship
  • All policies tested

Test Strategy (TDD):

Policy Tests for :own_data (Mitglied):

  • User can read their linked member (user_id matches)
  • User can update their linked member
  • User cannot read unlinked member (returns empty list or forbidden)
  • User cannot create member
  • Verify scope :linked works

Policy Tests for :read_only (Vorstand):

  • User can read all members (returns all records)
  • User cannot create member (returns Forbidden)
  • User cannot update any member (returns Forbidden)
  • User cannot destroy any member (returns Forbidden)

Policy Tests for :normal_user (Kassenwart):

  • User can read all members
  • User can create new member
  • User can update any member
  • User cannot destroy member (not in permission set)

Policy Tests for :admin:

  • User can perform all CRUD operations on any member
  • No restrictions

Test File: test/mv/membership/member_policies_test.exs

**Description:** Add authorization policies to the Member resource using the new `HasPermission` check. **Tasks:** 1. Open `lib/mv/membership/member.ex` 2. Add `policies` block at top of resource (before actions) 3. Configure policy to `Mv.Authorization.Checks.HasPermission` 4. Add policy for each action: - `:read` → check HasPermission for :read - `:create` → check HasPermission for :create - `:update` → check HasPermission for :update - `:destroy` → check HasPermission for :destroy 5. Add special policy: Allow user to read/update their linked member (before general policy) ```elixir policy action_type(:read) do authorize_if expr(user_id == ^actor(:id)) end ``` 6. Ensure policies load actor with `:role` relationship preloaded 7. Test policies with different actors **Policy Order (Critical!):** 1. Allow user to access their own linked member (most specific) 2. Check HasPermission (general authorization) 3. Default: Forbid **Acceptance Criteria:** - [x] Policies block added to Member resource - [x] All CRUD actions protected by HasPermission - [x] Special case: User can always access linked member - [x] Policy order is correct (specific before general) - [x] Actor preloads :role relationship - [x] All policies tested **Test Strategy (TDD):** **Policy Tests for :own_data (Mitglied):** - User can read their linked member (user_id matches) - User can update their linked member - User cannot read unlinked member (returns empty list or forbidden) - User cannot create member - Verify scope :linked works **Policy Tests for :read_only (Vorstand):** - User can read all members (returns all records) - User cannot create member (returns Forbidden) - User cannot update any member (returns Forbidden) - User cannot destroy any member (returns Forbidden) **Policy Tests for :normal_user (Kassenwart):** - User can read all members - User can create new member - User can update any member - User cannot destroy member (not in permission set) **Policy Tests for :admin:** - User can perform all CRUD operations on any member - No restrictions **Test File:** `test/mv/membership/member_policies_test.exs`
moritz added this to the Accounts & Logins milestone 2026-01-08 17:13:35 +01:00
moritz self-assigned this 2026-01-08 17:13:35 +01:00
moritz added this to the Sprint 11: 08.01-29.01 project 2026-01-08 17:13:35 +01:00
Sign in to join this conversation.
main
Branches Tags
Clear current reference
main
docs/update
speed-up-drone
feature/220_ui_issues_2
persist-sort-order
feature/151_roles_permissions_docs
manual_renovate_update
feature/#158-polish-README
feature/128_playwright_a11y_test
feature/119_member_user_relation_refactor
feature/119_user_as_member
feature/backpex-migration
feature/backpex_translation
feature/39_account_ressource
feature/74_memberfields
validation
feature/36_add_primerlive
Clear current reference
No results found.
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
high priority

   
invalid

Something is wrong

  
L

5 h

  
low priority

   
M

3 h

  
medium priority

   
needs refinement

   
optional

   
question

More information is needed

  
S

1 h

  
UX research

   
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
high priority
invalid
L
low priority
M
medium priority
needs refinement
optional
question
S
UX research
wontfix
Milestone
Clear milestone
No items
No milestone
Accounts & Logins
Projects
Clear projects
No items
No project
Sprint 11: 08.01-29.01
Assignees
Clear assignees
No assignees
moritz
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#345
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?