[FEATURE]: CustomFieldValue Resource Policies #369

New issue

Closed

opened 2026-01-27 12:46:02 +01:00 by moritz · 0 comments

moritz commented 2026-01-27 12:46:02 +01:00

Owner

Copy link

Description:

Add authorization policies to the CustomFieldValue resource. CustomFieldValues are linked to members, which are linked to users.

Tasks:

1. Open lib/mv/membership/custom_field_value.ex
2. Add policies block
3. Add special policy: Allow user to read/update custom field values of their linked member

   policy action_type([:read, :update]) do
     authorize_if expr(member.user_id == ^actor(:id))
   end
   

4. Add general policy: Check HasPermission
5. Ensure CustomFieldValue preloads :member relationship for scope checks
6. Preload :role relationship for actor

Policy Order:

1. Allow user to read/update properties of linked member
2. Check HasPermission
3. Default: Forbid

Acceptance Criteria:

• User can access properties of their linked member
• Policy traverses Member -> User relationship correctly
• HasPermission check works for other scopes
• Actor preloads :role relationship

Test Strategy (TDD):

Linked CustomFieldValues Tests (:own_data):

• User can read custom field values of their linked member
• User can update custom field values of their linked member
• User cannot read custom field values of unlinked members
• Verify relationship traversal works (custom_field_value.member.user_id)

Read-Only Tests:

• User with :read_only can read all custom field values
• User with :read_only cannot create/update custom field values

Normal User Tests:

• User with :normal_user can CRUD custom field values

Admin Tests:

• Admin can perform all operations

Test File: test/mv/membership/custom_field_value_policies_test.exs

---

**Description:** Add authorization policies to the CustomFieldValue resource. CustomFieldValues are linked to members, which are linked to users. **Tasks:** 1. Open `lib/mv/membership/custom_field_value.ex` 2. Add `policies` block 3. Add special policy: Allow user to read/update custom field values of their linked member ```elixir policy action_type([:read, :update]) do authorize_if expr(member.user_id == ^actor(:id)) end ``` 4. Add general policy: Check HasPermission 5. Ensure CustomFieldValue preloads :member relationship for scope checks 6. Preload :role relationship for actor **Policy Order:** 1. Allow user to read/update properties of linked member 2. Check HasPermission 3. Default: Forbid **Acceptance Criteria:** - [ ] User can access properties of their linked member - [ ] Policy traverses Member -> User relationship correctly - [ ] HasPermission check works for other scopes - [ ] Actor preloads :role relationship **Test Strategy (TDD):** **Linked CustomFieldValues Tests (:own_data):** - User can read custom field values of their linked member - User can update custom field values of their linked member - User cannot read custom field values of unlinked members - Verify relationship traversal works (custom_field_value.member.user_id) **Read-Only Tests:** - User with :read_only can read all custom field values - User with :read_only cannot create/update custom field values **Normal User Tests:** - User with :normal_user can CRUD custom field values **Admin Tests:** - Admin can perform all operations **Test File:** `test/mv/membership/custom_field_value_policies_test.exs` ---

moritz added this to the Accounts & Logins milestone 2026-01-27 12:46:02 +01:00

moritz self-assigned this 2026-01-27 12:46:02 +01:00

moritz added this to the Sprint 11: 08.01-29.01 project 2026-01-27 12:46:02 +01:00

moritz referenced this issue from a pull request that will close it, 2026-01-27 13:42:26 +01:00

CustomFieldValue Resource Policies closes #369 #377

moritz closed this issue 2026-01-27 16:07:48 +01:00

moritz referenced this issue from a commit 2026-01-27 16:07:50 +01:00

Merge pull request 'CustomFieldValue Resource Policies closes #369' (#377) from feature/369_customfieldvalue_policies into main

moritz modified the milestone from Accounts & Logins to We have different roles and permissions 2026-02-03 16:38:52 +01:00

Sign in to join this conversation.

main

Branches Tags

Clear current reference

main

renovate/renovate-renovate-43.x

renovate/ghcr.io-sebadob-rauthy-0.x

renovate/mix-dependencies

feature/export_csv

feature/ui-for-adding-members-groups

feature/373-member-view-groups-integration

speed-up-drone

persist-sort-order

feature/128_playwright_a11y_test

feature/backpex-migration

feature/backpex_translation

feature/36_add_primerlive

Clear current reference

No results found.

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

high priority

  

invalid

Something is wrong

  

L

5 h

  

low priority

  

M

3 h

  

medium priority

  

needs refinement

  

optional

  

question

More information is needed

  

S

1 h

  

UX research

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

high priority

invalid

L

low priority

M

medium priority

needs refinement

optional

question

S

UX research

wontfix

Milestone

Clear milestone

No items

No milestone

We have different roles and permissions

Projects

Clear projects

No items

No project

Sprint 11: 08.01-29.01

Assignees

Clear assignees

No assignees

moritz

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#369

No description provided.