CustomFieldValue Resource Policies closes #369 #377

Merged

moritz merged 12 commits from feature/369_customfieldvalue_policies into main 2026-01-27 16:07:48 +01:00

Conversation 0 Commits 12 Files changed 9 +632 -27

moritz commented 2026-01-27 13:42:26 +01:00

Owner

Copy link

Description of the implemented changes

The changes were:

• Bugfixing
• New Feature
• Breaking Change
• Refactoring

What has been changed?

Definition of Done

Code Quality

• No new technical depths
• Linting passed
• Documentation is added were needed

Accessibility

• New elements are properly defined with html-tags
• Colour contrast follows WCAG criteria
• Aria labels are added when needed
• Everything is accessible by keyboard
• Tab-Order is comprehensible
• All interactive elements have a visible focus

Testing

• Tests for new code are written
• All tests pass
• axe-core dev tools show no critical or major issues

Additional Notes

## Description of the implemented changes The changes were: - [ ] Bugfixing - [x] New Feature - [ ] Breaking Change - [ ] Refactoring <!--- Describe the goal of the PR in a few words --> ## What has been changed? <!--- List the things you changed --> ## Definition of Done ### Code Quality - [x] No new technical depths - [x] Linting passed - [x] Documentation is added were needed ### Accessibility - [ ] New elements are properly defined with html-tags - [ ] Colour contrast follows WCAG criteria - [ ] Aria labels are added when needed - [ ] Everything is accessible by keyboard - [ ] Tab-Order is comprehensible - [ ] All interactive elements have a visible focus ### Testing - [x] Tests for new code are written - [x] All tests pass - [ ] axe-core dev tools show no critical or major issues ## Additional Notes <!--- Add any additional information for the reviewers here -->

moritz added this to the Accounts & Logins milestone 2026-01-27 13:42:26 +01:00

moritz self-assigned this 2026-01-27 13:42:26 +01:00

moritz added 7 commits 2026-01-27 13:42:27 +01:00

Add CustomFieldValue create/destroy :linked to own_data permission set ... b93b419246

Allows members to create and delete custom field values for their linked member.

Add CustomFieldValueCreateScope check for create actions ... 80efa5b3bd

Ash cannot apply filters to create; this check enforces :linked/:all scope
via strict_check only (no filter).

Add authorization policies to CustomFieldValue resource ... 1afb97b6df

- Authorizer and policies: bypass for read (member_id == actor.member_id),
  CustomFieldValueCreateScope for create, HasPermission for read/update/destroy.
- HasPermission: pass authorizer into strict_check helper; document that create
  must use a dedicated check (no filter).

Pass actor to CustomFieldValue destroy and load in existing tests ... 62dd939efa

Required after CustomFieldValue gained authorization policies.

Add CustomFieldValue policy tests (own_data, read_only, normal_user, admin) ... 49af921336

Covers read/update/create/destroy for linked vs unlinked members and CRUD
permissions per permission set.

Document CustomFieldValue policies and own_data create/destroy in architecture ... 7bd4b41546

Update roles-and-permissions-architecture.md with policy layout and
permission matrix for CustomFieldValue (linked).

chore: remove start-database from test action ba8c12f3ea

moritz added 5 commits 2026-01-27 15:49:05 +01:00

CustomFieldValueCreateScope: use get_argument_or_attribute for member_id ... 5d82769d2d

- Read member_id via Ash.Changeset.get_argument_or_attribute/2 so it works
  when set as attribute or argument
- Remove unused require Logger
- Document member_id source in moduledoc

CustomFieldValue: remove unused require Ash.Query 1fb65ace8d

HasPermission: remove unused _authorizer from strict_check helper 185ccb0217

CFV policies test: system_actor for setup, verify destroy with actor ... 6e01af10f5

- create_linked_member_for_user and create_unlinked_member use actor
  (system_actor) directly instead of creating admin user per call
- Remove create_admin_user helper
- After destroy, verify with Ash.get(..., actor: actor) to avoid
  false positive from Forbidden vs NotFound

Docs: document bypass read rule for CustomFieldValue pattern ... c48feb2128

- Bypass action_type(:read) is production-side rule: reading own CFVs
  always allowed, overrides Permission-Sets. Applies to get/list/load.

moritz force-pushed feature/369_customfieldvalue_policies from c48feb2128 to bfe9fba2e0 2026-01-27 16:07:06 +01:00 Compare

moritz merged commit b974e7d685 into main 2026-01-27 16:07:48 +01:00

moritz deleted branch feature/369_customfieldvalue_policies 2026-01-27 16:07:49 +01:00

moritz referenced this pull request from a commit 2026-01-27 16:07:50 +01:00

Merge pull request 'CustomFieldValue Resource Policies closes #369' (#377) from feature/369_customfieldvalue_policies into main

moritz modified the milestone from Accounts & Logins to We have different roles and permissions 2026-02-03 16:38:48 +01:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

high priority

  

invalid

Something is wrong

  

L

5 h

  

low priority

  

M

3 h

  

medium priority

  

needs refinement

  

optional

  

question

More information is needed

  

S

1 h

  

UX research

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

high priority

invalid

L

low priority

M

medium priority

needs refinement

optional

question

S

UX research

wontfix

Milestone

Clear milestone

No items

No milestone

We have different roles and permissions

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

moritz

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#377

No description provided.