local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

User Resource Policies closes #363 #364

Merged
moritz merged 20 commits from feature/363_user_policies into main 2026-01-22 23:24:38 +01:00
Conversation 0 Commits 20 Files changed 28 +16 -21
1 changed files with 16 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 7d0f5fde86 - Show all commits

37
test/mv/accounts/user_policies_test.exs
View file

@ -60,15 +60,20 @@ defmodule Mv.Accounts.UserPoliciesTest do
create_user_with_permission_set("own_data")
end
# Shared test setup for permission sets with scope :own access
defp setup_user_with_own_access(permission_set) do
user = create_user_with_permission_set(permission_set)
other_user = create_other_user()
# Reload user to ensure role is preloaded
{:ok, user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role])
%{user: user, other_user: other_user}
end
describe "own_data permission set (Mitglied)" do
setup do
user = create_user_with_permission_set("own_data")
other_user = create_other_user()
# Reload user to ensure role is preloaded
{:ok, user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role])
%{user: user, other_user: other_user}
setup_user_with_own_access("own_data")
end
test "can read own user record", %{user: user} do
@ -136,13 +141,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
describe "read_only permission set (Vorstand/Buchhaltung)" do
setup do
user = create_user_with_permission_set("read_only")
other_user = create_other_user()
# Reload user to ensure role is preloaded
{:ok, user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role])
%{user: user, other_user: other_user}
setup_user_with_own_access("read_only")
end
test "can read own user record", %{user: user} do
@ -169,6 +168,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
} do
# Note: With auto_filter policies, when a user tries to read a user that doesn't
# match the filter (id == actor.id), Ash returns NotFound, not Forbidden.
# This is the expected behavior - the filter makes the record "invisible" to the user.
assert_raise Ash.Error.Invalid, fn ->
Ash.get!(Accounts.User, other_user.id, actor: user, domain: Mv.Accounts)
end
@ -209,13 +209,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
describe "normal_user permission set (Kassenwart)" do
setup do
user = create_user_with_permission_set("normal_user")
other_user = create_other_user()
# Reload user to ensure role is preloaded
{:ok, user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role])
%{user: user, other_user: other_user}
setup_user_with_own_access("normal_user")
end
test "can read own user record", %{user: user} do
@ -242,6 +236,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
} do
# Note: With auto_filter policies, when a user tries to read a user that doesn't
# match the filter (id == actor.id), Ash returns NotFound, not Forbidden.
# This is the expected behavior - the filter makes the record "invisible" to the user.
assert_raise Ash.Error.Invalid, fn ->
Ash.get!(Accounts.User, other_user.id, actor: user, domain: Mv.Accounts)
end