local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Seed Data - Roles and Default Assignment closes #365 #368

Merged
moritz merged 16 commits from feature/365_seed_roles into main 2026-01-25 17:21:04 +01:00
Conversation 0 Commits 16 Files changed 15 +301
2 changed files with 301 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 21b63cbe86 - Show all commits

169
test/accounts/user/changes/assign_default_role_test.exs Normal file
View file

@ -0,0 +1,169 @@
defmodule Mv.Accounts.User.Changes.AssignDefaultRoleTest do
@moduledoc """
Tests for AssignDefaultRole change module.
Tests cover:
- Automatic role assignment when no role is set
- Skipping assignment when role is already set (changeset, data, or argument)
- Handling missing "Mitglied" role gracefully
- Error handling for unexpected failures
"""
use Mv.DataCase, async: true
alias Mv.Accounts.User
alias Mv.Authorization.Role
setup do
# Ensure "Mitglied" role exists
Mv.DataCase.ensure_default_role()
# Get "Mitglied" role for assertions
{:ok, mitglied_role} = Role.get_mitglied_role()
%{mitglied_role: mitglied_role}
end
describe "change/3" do
test "assigns Mitglied role when no role is set", %{mitglied_role: mitglied_role} do
email = "test#{System.unique_integer([:positive])}@example.com"
# Create user - AssignDefaultRole change runs automatically via :create_user action
{:ok, user} =
User
|> Ash.Changeset.for_create(:create_user, %{email: email})
|> Ash.create(authorize?: false, domain: Mv.Accounts)
# Load user with role
{:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts, authorize?: false)
# Verify role was assigned
assert user_with_role.role != nil
assert user_with_role.role.id == mitglied_role.id
assert user_with_role.role.name == "Mitglied"
end
test "skips assignment when role relationship is already set in changeset", %{
mitglied_role: _mitglied_role
} do
# Create a different role
other_role =
Role
|> Ash.Changeset.for_create(:create_role, %{
name: "Test Role #{System.unique_integer([:positive])}",
description: "Test role",
permission_set_name: "own_data"
})
|> Ash.create!(authorize?: false, domain: Mv.Authorization)
# Test that AssignDefaultRole skips when role relationship is already set
# Create a changeset with role relationship already set BEFORE the change runs
changeset =
User
|> Ash.Changeset.for_create(:create_user, %{
email: "test#{System.unique_integer([:positive])}@example.com"
})
|> Ash.Changeset.manage_relationship(:role, other_role, type: :append_and_remove)
# Manually call the change to test it
result_changeset = Mv.Accounts.User.Changes.AssignDefaultRole.change(changeset, [], %{})
# The change should detect that role relationship is already set and skip assignment
# Verify by creating the user and checking the role
{:ok, user} = Ash.create(result_changeset, authorize?: false, domain: Mv.Accounts)
# Load user with role
{:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts, authorize?: false)
# Verify the explicitly set role was used, not "Mitglied"
assert user_with_role.role != nil
assert user_with_role.role.id == other_role.id
assert user_with_role.role.name != "Mitglied"
end
test "skips assignment when role_id is already set in data (upsert scenario)" do
# Create user with role
role =
Role
|> Ash.Changeset.for_create(:create_role, %{
name: "Test Role #{System.unique_integer([:positive])}",
description: "Test role",
permission_set_name: "own_data"
})
|> Ash.create!(authorize?: false, domain: Mv.Authorization)
{:ok, existing_user} =
User
|> Ash.Changeset.for_create(:create_user, %{
email: "existing#{System.unique_integer([:positive])}@example.com"
})
|> Ash.create(authorize?: false, domain: Mv.Accounts)
# Update user to have role
{:ok, user_with_role} =
existing_user
|> Ash.Changeset.for_update(:update, %{})
|> Ash.Changeset.manage_relationship(:role, role, type: :append_and_remove)
|> Ash.update(authorize?: false, domain: Mv.Accounts)
# Reload to get role_id in data
{:ok, user_with_role} =
Ash.load(user_with_role, :role, domain: Mv.Accounts, authorize?: false)
# Verify user has the explicitly set role
assert user_with_role.role != nil
assert user_with_role.role.id == role.id
# Now update user again - AssignDefaultRole should skip (role already set)
{:ok, updated_user} =
user_with_role
|> Ash.Changeset.for_update(:update, %{})
|> Ash.update(authorize?: false, domain: Mv.Accounts)
# Reload to verify role didn't change
{:ok, updated_user_with_role} =
Ash.load(updated_user, :role, domain: Mv.Accounts, authorize?: false)
# Role should still be the same (not changed to "Mitglied")
assert updated_user_with_role.role.id == role.id
assert updated_user_with_role.role.name != "Mitglied"
end
test "handles missing Mitglied role gracefully" do
# Test that change handles nil role gracefully
# Since we can't easily delete the system role, we test the code path
# by verifying that when get_mitglied_role returns nil, changeset is unchanged
changeset =
User
|> Ash.Changeset.for_create(:create_user, %{
email: "test#{System.unique_integer([:positive])}@example.com"
})
# The change should handle nil role gracefully
# If role exists, it will be assigned; if not, changeset remains unchanged
result_changeset = Mv.Accounts.User.Changes.AssignDefaultRole.change(changeset, [], %{})
# Changeset should be valid regardless
assert result_changeset.valid?
# If role exists, it should be assigned (we check this in other tests)
# If role doesn't exist, changeset should be unchanged (no error)
end
test "assigns role correctly in integration test" do
email = "integration#{System.unique_integer([:positive])}@example.com"
{:ok, user} =
User
|> Ash.Changeset.for_create(:create_user, %{email: email})
|> Ash.create(authorize?: false, domain: Mv.Accounts)
# Load user with role
{:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts, authorize?: false)
# Verify role was assigned
assert user_with_role.role != nil
assert user_with_role.role.name == "Mitglied"
assert user_with_role.role.permission_set_name == "own_data"
end
end
end

132
test/seeds_test.exs
View file

@ -121,4 +121,136 @@ defmodule Mv.SeedsTest do
assert :suspended in all_cycle_statuses, "At least one cycle should be suspended"
end
end
describe "Authorization roles (from seeds)" do
test "creates all 5 authorization roles with correct permission sets" do
# Run seeds once for this test
Code.eval_file("priv/repo/seeds.exs")
{:ok, roles} = Ash.read(Mv.Authorization.Role)
assert length(roles) >= 5, "Should have at least 5 roles"
# Check each role
role_configs = [
{"Mitglied", "own_data", true},
{"Vorstand", "read_only", false},
{"Kassenwart", "normal_user", false},
{"Buchhaltung", "read_only", false},
{"Admin", "admin", false}
]
Enum.each(role_configs, fn {name, perm_set, is_system} ->
role = Enum.find(roles, &(&1.name == name))
assert role, "Role #{name} should exist"
assert role.permission_set_name == perm_set
assert role.is_system_role == is_system
end)
end
test "Mitglied role is marked as system role" do
Code.eval_file("priv/repo/seeds.exs")
{:ok, mitglied} =
Mv.Authorization.Role
|> Ash.Query.filter(name == "Mitglied")
|> Ash.read_one()
assert mitglied.is_system_role == true
end
test "all roles have valid permission_set_names" do
Code.eval_file("priv/repo/seeds.exs")
{:ok, roles} = Ash.read(Mv.Authorization.Role)
valid_sets =
Mv.Authorization.PermissionSets.all_permission_sets()
|> Enum.map(&Atom.to_string/1)
Enum.each(roles, fn role ->
assert role.permission_set_name in valid_sets,
"Role #{role.name} has invalid permission_set_name: #{role.permission_set_name}"
end)
end
test "assigns Admin role to ADMIN_EMAIL user" do
Code.eval_file("priv/repo/seeds.exs")
admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
{:ok, admin_user} =
Mv.Accounts.User
|> Ash.Query.filter(email == ^admin_email)
|> Ash.read_one(domain: Mv.Accounts, authorize?: false)
assert admin_user != nil, "Admin user should exist after seeds run"
{:ok, admin_user_with_role} =
Ash.load(admin_user, :role, domain: Mv.Accounts, authorize?: false)
assert admin_user_with_role.role != nil, "Admin user should have a role assigned"
assert admin_user_with_role.role.name == "Admin"
assert admin_user_with_role.role.permission_set_name == "admin"
end
end
describe "Authorization role assignment" do
test "does not change role of users who already have a role" do
# Seeds once (creates Admin with Admin role)
Code.eval_file("priv/repo/seeds.exs")
admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
{:ok, admin_user} =
Mv.Accounts.User
|> Ash.Query.filter(email == ^admin_email)
|> Ash.read_one(domain: Mv.Accounts, authorize?: false)
assert admin_user != nil, "Admin user should exist after seeds run"
{:ok, admin_user_with_role} =
Ash.load(admin_user, :role, domain: Mv.Accounts, authorize?: false)
assert admin_user_with_role.role != nil, "Admin user should have a role assigned"
original_role_id = admin_user_with_role.role_id
assert admin_user_with_role.role.name == "Admin"
# Seeds again
Code.eval_file("priv/repo/seeds.exs")
# Admin reloaded
{:ok, admin_reloaded} =
Mv.Accounts.User
|> Ash.Query.filter(email == ^admin_email)
|> Ash.read_one(domain: Mv.Accounts, authorize?: false)
assert admin_reloaded != nil, "Admin user should still exist after re-running seeds"
{:ok, admin_reloaded_with_role} =
Ash.load(admin_reloaded, :role, domain: Mv.Accounts, authorize?: false)
assert admin_reloaded_with_role.role != nil,
"Admin user should still have a role after re-running seeds"
assert admin_reloaded_with_role.role_id == original_role_id
assert admin_reloaded_with_role.role.name == "Admin"
end
test "role creation is idempotent" do
Code.eval_file("priv/repo/seeds.exs")
{:ok, roles_1} = Ash.read(Mv.Authorization.Role)
Code.eval_file("priv/repo/seeds.exs")
{:ok, roles_2} = Ash.read(Mv.Authorization.Role)
assert length(roles_1) == length(roles_2),
"Role count should remain same after re-running seeds"
# Each role should appear exactly once
role_names = Enum.map(roles_2, & &1.name)
assert length(role_names) == length(Enum.uniq(role_names)),
"Each role name should appear exactly once"
end
end
end