local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

[FEATURE]: Seed Data - Roles and Default Assignment #365

New issue
Closed
opened 2026-01-22 23:37:42 +01:00 by moritz · 0 comments
moritz commented 2026-01-22 23:37:42 +01:00
Owner
Copy link

Description:

Create seed data for 5 roles and assign default "Mitglied" role to existing users. Optionally designate one admin via environment variable.

Tasks:

  1. Create priv/repo/seeds/authorization_seeds.exs
  2. Seed 5 roles using Ash.Seed.seed!/2 or create actions:
    • Mitglied: name="Mitglied", description="Default member role", permission_set_name="own_data", is_system_role=true
    • Vorstand: name="Vorstand", description="Board member with read access", permission_set_name="read_only", is_system_role=false
    • Kassenwart: name="Kassenwart", description="Treasurer with full member management", permission_set_name="normal_user", is_system_role=false
    • Buchhaltung: name="Buchhaltung", description="Accounting with read access", permission_set_name="read_only", is_system_role=false
    • Admin: name="Admin", description="Administrator with full access", permission_set_name="admin", is_system_role=false
  3. Make idempotent: Use upsert logic (get by name, update if exists, create if not)
  4. Assign "Mitglied" role to all users without role_id: 
    mitglied_role = Ash.get!(Role, name: "Mitglied")
users_without_role = Ash.read!(User, filter: expr(is_nil(role_id)))
Enum.each(users_without_role, fn user ->
  Ash.update!(user, %{role_id: mitglied_role.id})
end)
  5. (Optional) Check for ADMIN_EMAIL env var, assign Admin role to that user
  6. Add error handling with clear error messages
  7. Add IO.puts statements to show progress

Acceptance Criteria:

  • All 5 roles created with correct permission_set_name
  • "Mitglied" has is_system_role=true
  • Existing users without role get "Mitglied" role
  • Optional: ADMIN_EMAIL user gets Admin role
  • Seeds are idempotent (can run multiple times)
  • Error messages are clear
  • Progress is logged to console

Test Strategy (TDD):

Role Creation Tests:

  • After running seeds, 5 roles exist
  • Each role has correct permission_set_name:
    • Mitglied → "own_data"
    • Vorstand → "read_only"
    • Kassenwart → "normal_user"
    • Buchhaltung → "read_only"
    • Admin → "admin"
  • "Mitglied" role has is_system_role=true
  • Other roles have is_system_role=false
  • All permission_set_names are valid (exist in PermissionSets.all_permission_sets/0)

User Assignment Tests:

  • Users without role_id are assigned "Mitglied" role
  • Users who already have role_id are not changed
  • New Users will automatically be assigned "Mitglied" role
  • Count of users with "Mitglied" role increases by number of previously unassigned users

Idempotency Tests:

  • Running seeds twice doesn't create duplicate roles
  • Each role name appears exactly once
  • Running seeds twice doesn't reassign users who already have roles

Optional Admin Tests:

  • If ADMIN_EMAIL set, user with that email gets Admin role
  • If ADMIN_EMAIL not set, no error occurs
  • If email doesn't exist, error is logged but seeds continue

Error Handling Tests:

  • Seeds fail gracefully if invalid permission_set_name provided
  • Error message indicates which permission_set_name is invalid

Test File: test/seeds/authorization_seeds_test.exs

**Description:** Create seed data for 5 roles and assign default "Mitglied" role to existing users. Optionally designate one admin via environment variable. **Tasks:** 1. Create `priv/repo/seeds/authorization_seeds.exs` 2. Seed 5 roles using `Ash.Seed.seed!/2` or create actions: - **Mitglied:** name="Mitglied", description="Default member role", permission_set_name="own_data", is_system_role=true - **Vorstand:** name="Vorstand", description="Board member with read access", permission_set_name="read_only", is_system_role=false - **Kassenwart:** name="Kassenwart", description="Treasurer with full member management", permission_set_name="normal_user", is_system_role=false - **Buchhaltung:** name="Buchhaltung", description="Accounting with read access", permission_set_name="read_only", is_system_role=false - **Admin:** name="Admin", description="Administrator with full access", permission_set_name="admin", is_system_role=false 3. Make idempotent: Use upsert logic (get by name, update if exists, create if not) 4. Assign "Mitglied" role to all users without role_id: ```elixir mitglied_role = Ash.get!(Role, name: "Mitglied") users_without_role = Ash.read!(User, filter: expr(is_nil(role_id))) Enum.each(users_without_role, fn user -> Ash.update!(user, %{role_id: mitglied_role.id}) end) ``` 5. (Optional) Check for `ADMIN_EMAIL` env var, assign Admin role to that user 6. Add error handling with clear error messages 7. Add `IO.puts` statements to show progress **Acceptance Criteria:** - [ ] All 5 roles created with correct permission_set_name - [ ] "Mitglied" has is_system_role=true - [ ] Existing users without role get "Mitglied" role - [ ] Optional: ADMIN_EMAIL user gets Admin role - [ ] Seeds are idempotent (can run multiple times) - [ ] Error messages are clear - [ ] Progress is logged to console **Test Strategy (TDD):** **Role Creation Tests:** - After running seeds, 5 roles exist - Each role has correct permission_set_name: - Mitglied → "own_data" - Vorstand → "read_only" - Kassenwart → "normal_user" - Buchhaltung → "read_only" - Admin → "admin" - "Mitglied" role has is_system_role=true - Other roles have is_system_role=false - All permission_set_names are valid (exist in PermissionSets.all_permission_sets/0) **User Assignment Tests:** - Users without role_id are assigned "Mitglied" role - Users who already have role_id are not changed - New Users will automatically be assigned "Mitglied" role - Count of users with "Mitglied" role increases by number of previously unassigned users **Idempotency Tests:** - Running seeds twice doesn't create duplicate roles - Each role name appears exactly once - Running seeds twice doesn't reassign users who already have roles **Optional Admin Tests:** - If ADMIN_EMAIL set, user with that email gets Admin role - If ADMIN_EMAIL not set, no error occurs - If email doesn't exist, error is logged but seeds continue **Error Handling Tests:** - Seeds fail gracefully if invalid permission_set_name provided - Error message indicates which permission_set_name is invalid **Test File:** `test/seeds/authorization_seeds_test.exs`
moritz added this to the Accounts & Logins milestone 2026-01-22 23:37:42 +01:00
moritz self-assigned this 2026-01-22 23:37:42 +01:00
moritz added this to the Sprint 11: 08.01-29.01 project 2026-01-22 23:37:43 +01:00
moritz modified the milestone from Accounts & Logins to We have different roles and permissions 2026-02-03 16:39:04 +01:00
Sign in to join this conversation.
main
Branches Tags
Clear current reference
main
renovate/renovate-renovate-43.x
renovate/ghcr.io-sebadob-rauthy-0.x
renovate/mix-dependencies
feature/export_csv
feature/ui-for-adding-members-groups
feature/373-member-view-groups-integration
speed-up-drone
persist-sort-order
feature/128_playwright_a11y_test
feature/backpex-migration
feature/backpex_translation
feature/36_add_primerlive
Clear current reference
No results found.
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
high priority

   
invalid

Something is wrong

  
L

5 h

  
low priority

   
M

3 h

  
medium priority

   
needs refinement

   
optional

   
question

More information is needed

  
S

1 h

  
UX research

   
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
high priority
invalid
L
low priority
M
medium priority
needs refinement
optional
question
S
UX research
wontfix
Milestone
Clear milestone
No items
No milestone
We have different roles and permissions
Projects
Clear projects
No items
No project
Sprint 11: 08.01-29.01
Assignees
Clear assignees
No assignees
moritz
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#365
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?