local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Complete Permissions for Groups, Membership Fees, and User Role Assignment closes #404 #405

Merged
moritz merged 26 commits from feature/404_permission_completeness into main 2026-02-04 11:47:19 +01:00
Conversation 0 Commits 26 Files changed 61 +2863 -987
moritz commented 2026-02-03 23:55:38 +01:00
Owner
Copy link

Description of the implemented changes

The changes were:

  • Bugfixing
  • New Feature
  • Breaking Change
  • Refactoring

What has been changed?

Definition of Done

Code Quality

  • No new technical depths
  • Linting passed
  • Documentation is added were needed

Accessibility

  • New elements are properly defined with html-tags
  • Colour contrast follows WCAG criteria
  • Aria labels are added when needed
  • Everything is accessible by keyboard
  • Tab-Order is comprehensible
  • All interactive elements have a visible focus

Testing

  • Tests for new code are written
  • All tests pass
  • axe-core dev tools show no critical or major issues

Additional Notes

## Description of the implemented changes The changes were: - [x] Bugfixing - [x] New Feature - [x] Breaking Change - [ ] Refactoring <!--- Describe the goal of the PR in a few words --> ## What has been changed? <!--- List the things you changed --> ## Definition of Done ### Code Quality - [ ] No new technical depths - [x] Linting passed - [x] Documentation is added were needed ### Accessibility - [ ] New elements are properly defined with html-tags - [ ] Colour contrast follows WCAG criteria - [ ] Aria labels are added when needed - [ ] Everything is accessible by keyboard - [ ] Tab-Order is comprehensible - [ ] All interactive elements have a visible focus ### Testing - [x] Tests for new code are written - [x] All tests pass - [x] axe-core dev tools show no critical or major issues ## Additional Notes <!--- Add any additional information for the reviewers here -->
moritz added this to the We have different roles and permissions milestone 2026-02-03 23:55:38 +01:00
moritz self-assigned this 2026-02-03 23:55:38 +01:00
moritz added 7 commits 2026-02-03 23:55:39 +01:00 
- Extend permission_sets.ex with resources and pages for new domains
- Adjust HasPermission check for resource/action/scope
- Update roles-and-permissions and implementation-plan docs
- Add permission_sets_test.exs coverage
- Group/MemberGroup/MembershipFeeType/MembershipFeeCycle: HasPermission policy
- normal_user: Group and MembershipFeeCycle create/update/destroy; pages /groups/new, /groups/:slug/edit
- Add policy tests for all four resources
- setting.ex: domain/authorize for default_membership_fee_type_id check
- validate_same_interval: require membership_fee_type (no None)
- set_membership_fee_start_date: domain/actor for fee type lookup
- Validations: domain/authorize for cross-resource checks
- helpers.ex, email_sync change, seeds.exs actor/authorize fixes
- Update related tests
- User resource: update_user accepts role_id, manage_relationship :member
- user_live/form: touch role_id, params_with_member_if_unchanged to avoid unlink
- Handle Forbidden in form, extract error message for display
- user_policies_test and form_test coverage
- Show: handle_info :member_updated and :put_flash; Linked User only when can_access_page? /users
- MembershipFeesComponent: can_create_cycle/can_destroy_cycle/can_update_cycle; buttons gated
- Delete all cycles via Ash.destroy (policy enforced); format_error Forbidden
- Regenerate cycles for normal_user and admin (no admin-only check)
- Member form: format_error tuple for membership_fee_type_id; Select a membership fee type (no None)
- show_membership_fees_test: read_only UI and policy tests
- membership_fee_settings_live: current_actor(socket), Ash.read! with actor
- membership_fee_type_live/form: Ash.get! with actor in mount
- check_page_permission_test: normal_user /groups/new and /groups/:slug/edit allowed
- membership_fee_type_live form_test: actor for Ash.read_one!/get!
Docs, gettext, and remaining test updates
All checks were successful
continuous-integration/drone/push Build is passing
Details
c4459ebb92 
- groups-architecture and membership-fee-architecture docs
- Gettext: add/correct German for authorization and membership fee type
- membership_fee_helpers_test and membership_fee_status_test adjustments
moritz added 6 commits 2026-02-04 01:03:03 +01:00 
Use perm/3 helper for admin resource permissions (DRY). MemberGroup
keeps read/create/destroy only (no update in domain).
- Delete each cycle with Ash.destroy(actor:) so policies apply; add do_delete_all_cycles/5.
- Use positive can? check; remove duplicate current_actor(socket) in change_membership_fee_type.
Single describe with @tag permission_set and for-loop; one setup per permission set.
- Policy tests: use Fixtures where applicable; create_custom_field() fix in custom_field_value.
- Replace unused actor with _actor, remove unused alias Accounts in policy tests.
- profile_navigation_test: disable Credo for intentional TODO comment.
Docs and tests: fix CODE_GUIDELINES structure, use Mv.Fixtures in show_membership_fees_test
All checks were successful
continuous-integration/drone/push Build is passing
Details
03d3a7eb1b 
- CODE_GUIDELINES: correct custom_field/custom_field_value descriptions, add fixtures.ex to test support
- show_membership_fees_test: use Mv.Fixtures.member_fixture, remove redundant create_member helper
moritz added 5 commits 2026-02-04 09:28:20 +01:00 
- Handler returns flash error when non-admin triggers event (e.g. DevTools).
- Test: read_only cannot create MembershipFeeCycle so handler rejects.
- Last-admin only when target role is non-admin (admins may switch admin roles).
- Use Ash.Changeset.get_attribute for new role_id. Tests: admin role switch, non-admin update_user role_id forbidden.
- ActorPermissionSetIs check; bypass policy filters by member_id for own_data only.
- Admin with member_id still gets :all via HasPermission. Tests added.
- own_data gets read scope :linked; apply_scope in HasPermission; bypass check for own_data.
- PermissionSetsTest expects own_data :linked, others :all for MFC read.
Docs: groups and roles/permissions architecture, Group moduledoc
All checks were successful
continuous-integration/drone/push Build is passing
Details
c035d0f141 
- groups-architecture: normal_user and admin can manage groups.
- roles-and-permissions: matrix and MembershipFeeCycle :linked for own_data.
- group_policies_test: update moduledoc.
moritz changed title from WIP: Complete Permissions for Groups, Membership Fees, and User Role Assignment closes #404 to Complete Permissions for Groups, Membership Fees, and User Role Assignment closes #404 2026-02-04 09:30:51 +01:00
moritz added 1 commit 2026-02-04 09:39:01 +01:00
Hide Regenerate Cycles button when no membership fee type assigned
All checks were successful
continuous-integration/drone/push Build is passing
Details
7eba21dc9c 
- Button only shown when @member.membership_fee_type is set (same as Create Cycle).
- Test: no-type view asserts Regenerate Cycles button is not present.
moritz added 4 commits 2026-02-04 11:11:19 +01:00 
- Index: load :role; columns Role, Password (has_password?), OIDC; contrast fix.
- Show: Role, OIDC (Linked/Not linked); has_password? for Password Authentication.
- UserHelpers: has_password?/1, has_oidc?/1. Gettext: new strings and DE translations.
- Sort button: aria-sort removed (button role does not support it).
- Index tests: remove aria-sort assertions; add Password column display tests.
- Additional users (hans, greta, maria, thomas) created without admin_set_password.
- Removed no-password@example.de user.
User form: red warning for OIDC users when setting/changing password
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/promote/production Build is passing
Details
d7c6d20483 
- Show alert when user has oidc_id and password section is visible.
- Explains that password here does not change SSO/identity provider password.
moritz added 3 commits 2026-02-04 11:42:47 +01:00 
- Docs: Regenerate Cycles server-side enforcement note in membership-fee-architecture.
- Index OIDC column and show OIDC item use has_oidc? instead of raw oidc_id.
- Avoids empty string showing as Linked.
ARIA: set aria-sort on th for sortable columns
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/promote/production Build is passing
Details
083592489f 
- Table: optional col sort_field; th gets aria-sort when col is sorted.
- User index: pass sort_field/sort_order to table, sort_field: :email on email col.
moritz merged commit d13fbef890 into main 2026-02-04 11:47:19 +01:00
moritz deleted branch feature/404_permission_completeness 2026-02-04 11:47:21 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
high priority

   
invalid

Something is wrong

  
L

5 h

  
low priority

   
M

3 h

  
medium priority

   
needs refinement

   
optional

   
question

More information is needed

  
S

1 h

  
UX research

   
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
high priority
invalid
L
low priority
M
medium priority
needs refinement
optional
question
S
UX research
wontfix
Milestone
Clear milestone
No items
No milestone
We have different roles and permissions
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
moritz
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#405
No description provided.
Delete branch "feature/404_permission_completeness"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?