local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

[FEATURE]: CustomField Resource Policies #386

New issue
Closed
opened 2026-01-29 11:55:44 +01:00 by moritz · 0 comments
moritz commented 2026-01-29 11:55:44 +01:00
Owner
Copy link

Description

Add authorization policies to the CustomField resource. CustomFields are admin-managed; all authenticated users can read them (scope :all). No bypass policy is needed for read, because read uses scope :all and HasPermission authorizes list reads directly.

Tasks

  1. Open lib/membership/custom_field.ex
  2. Add a policies block
  3. Add one policy: action_type([:read, :create, :update, :destroy]) with authorize_if Mv.Authorization.Checks.HasPermission
  4. Do not add a bypass policy for read (unlike User/Member/CustomFieldValue; CustomField read uses scope :all)

Acceptance Criteria

  • All users (with valid role) can read custom fields
  • Only admin can create/update/destroy custom fields
  • Policies are tested

Test Strategy (TDD)

Test file: test/mv/membership/custom_field_policies_test.exs

Structure and helpers can follow test/mv/membership/custom_field_value_policies_test.exs (system_actor setup, users with each permission set, etc.).

Read access (all roles)

  • User with :own_data can read all custom fields
  • User with :read_only can read all custom fields
  • User with :normal_user can read all custom fields
  • User with :admin can read all custom fields

Write access (admin only)

  • Non-admin cannot create custom field (Forbidden)
  • Non-admin cannot update custom field (Forbidden)
  • Non-admin cannot destroy custom field (Forbidden)
  • Admin can create custom field
  • Admin can update custom field
  • Admin can destroy custom field

Notes

  • Action names: CustomField uses destroy :destroy_with_values (primary). HasPermission uses action_type :destroy, so no PermissionSets or policy change is needed for the destroy action.
  • PermissionSets: CustomField is already defined for all four permission sets (read for all, create/update/destroy for admin only). No change required there.
## Description Add authorization policies to the CustomField resource. CustomFields are admin-managed; all authenticated users can read them (scope :all). No bypass policy is needed for read, because read uses scope :all and HasPermission authorizes list reads directly. --- ## Tasks 1. Open `lib/membership/custom_field.ex` 2. Add a `policies` block 3. Add one policy: `action_type([:read, :create, :update, :destroy])` with `authorize_if Mv.Authorization.Checks.HasPermission` 4. Do **not** add a bypass policy for read (unlike User/Member/CustomFieldValue; CustomField read uses scope :all) --- ## Acceptance Criteria - [ ] All users (with valid role) can read custom fields - [ ] Only admin can create/update/destroy custom fields - [ ] Policies are tested --- ## Test Strategy (TDD) **Test file:** `test/mv/membership/custom_field_policies_test.exs` Structure and helpers can follow `test/mv/membership/custom_field_value_policies_test.exs` (system_actor setup, users with each permission set, etc.). ### Read access (all roles) - User with `:own_data` can read all custom fields - User with `:read_only` can read all custom fields - User with `:normal_user` can read all custom fields - User with `:admin` can read all custom fields ### Write access (admin only) - Non-admin cannot create custom field (Forbidden) - Non-admin cannot update custom field (Forbidden) - Non-admin cannot destroy custom field (Forbidden) - Admin can create custom field - Admin can update custom field - Admin can destroy custom field --- ## Notes - **Action names:** CustomField uses `destroy :destroy_with_values` (primary). HasPermission uses action_type `:destroy`, so no PermissionSets or policy change is needed for the destroy action. - **PermissionSets:** CustomField is already defined for all four permission sets (read for all, create/update/destroy for admin only). No change required there.
moritz added this to the Accounts & Logins milestone 2026-01-29 11:55:44 +01:00
moritz added the
M
 label 2026-01-29 11:55:44 +01:00
moritz self-assigned this 2026-01-29 11:55:45 +01:00
moritz added this to the Sprint 12: 29.01.- 19.02 project 2026-01-29 11:55:45 +01:00
moritz modified the milestone from Accounts & Logins to We have different roles and permissions 2026-02-03 16:38:45 +01:00
Sign in to join this conversation.
main
Branches Tags
Clear current reference
main
renovate/renovate-renovate-43.x
renovate/ghcr.io-sebadob-rauthy-0.x
renovate/mix-dependencies
feature/export_csv
feature/ui-for-adding-members-groups
feature/373-member-view-groups-integration
speed-up-drone
persist-sort-order
feature/128_playwright_a11y_test
feature/backpex-migration
feature/backpex_translation
feature/36_add_primerlive
Clear current reference
No results found.
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
high priority

   
invalid

Something is wrong

  
L

5 h

  
low priority

   
M

3 h

  
medium priority

   
needs refinement

   
optional

   
question

More information is needed

  
S

1 h

  
UX research

   
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
high priority
invalid
L
low priority
M
medium priority
needs refinement
optional
question
S
UX research
wontfix
Milestone
Clear milestone
No items
No milestone
We have different roles and permissions
Projects
Clear projects
No items
No project
Sprint 12: 29.01.- 19.02
Assignees
Clear assignees
No assignees
moritz
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#386
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?