Page Permission Router Plug closes #388 #390

Merged

moritz merged 16 commits from feature/388_page_permissions into main 2026-01-30 12:20:00 +01:00

Conversation 0 Commits 16 Files changed 31 +1736 -257

moritz commented 2026-01-30 00:01:43 +01:00

Owner

Copy link

Description of the implemented changes

The changes were:

• Bugfixing
• New Feature
• Breaking Change
• Refactoring

What has been changed?

Definition of Done

Code Quality

• No new technical depths
• Linting passed
• Documentation is added were needed

Accessibility

• New elements are properly defined with html-tags
• Colour contrast follows WCAG criteria
• Aria labels are added when needed
• Everything is accessible by keyboard
• Tab-Order is comprehensible
• All interactive elements have a visible focus

Testing

• Tests for new code are written
• All tests pass
• axe-core dev tools show no critical or major issues

Additional Notes

## Description of the implemented changes The changes were: - [ ] Bugfixing - [x] New Feature - [ ] Breaking Change - [ ] Refactoring <!--- Describe the goal of the PR in a few words --> ## What has been changed? <!--- List the things you changed --> ## Definition of Done ### Code Quality - [x] No new technical depths - [x] Linting passed - [x] Documentation is added were needed ### Accessibility - [ ] New elements are properly defined with html-tags - [ ] Colour contrast follows WCAG criteria - [ ] Aria labels are added when needed - [ ] Everything is accessible by keyboard - [ ] Tab-Order is comprehensible - [ ] All interactive elements have a visible focus ### Testing - [x] Tests for new code are written - [x] All tests pass - [ ] axe-core dev tools show no critical or major issues ## Additional Notes <!--- Add any additional information for the reviewers here -->

moritz added this to the Accounts & Logins milestone 2026-01-30 00:01:43 +01:00

moritz self-assigned this 2026-01-30 00:01:43 +01:00

moritz added 6 commits 2026-01-30 00:01:45 +01:00

feat: add CheckPagePermission plug for page-level authorization ... b10b9c893c

- Plug checks PermissionSets page list; redirects unauthorized to profile or sign-in.
- Router: add plug to :browser pipeline; LiveHelpers: check_page_permission_on_params
  for client-side navigation (push_patch).

feat: restrict own_data to profile and linked member pages ... 626e8a872e

- Remove "/" from own_data pages (Mitglied redirected to profile at root).
- Add /users/:id, /users/:id/edit, /users/:id/show/edit and member edit pages
  for own_data so members can access own profile and linked member only.

test: add page permission tests and ConnCase role tags ... ad00e8e7b6

- ConnCase: add :read_only and :normal_user role tags for tests.
- Add CheckPagePermission plug tests (unit + integration for member, read_only,
  normal_user, admin). Update permission_sets_test (refute "/" for own_data).
- Profile navigation, global_settings, role_live, membership_fee_type: use
  users with role for "/" access; expect redirect for own_data on /settings
  and /admin/roles.

fix: handle nil member in MembershipFeeHelpers ... b55f356762

- get_last_completed_cycle/2 and get_current_cycle/2 return nil when member is nil.
- Avoids FunctionClauseError when MemberLive.Show receives no member (e.g. after
  redirect or policy filter). Add unit tests for nil member.

docs: add page permission route and test coverage ... f66cd2933a

- page-permission-route-coverage.md: route matrix, test coverage per role,
  reserved segments.

chore: remove unused aliases in tests ... 28d134b2b0

- Drop unused Member alias from membership and membership_fees test files.

moritz added 1 commit 2026-01-30 00:17:45 +01:00

fix: fix warning of unused variable in UserLive.IndexTest 3a7e4000c0

moritz added 4 commits 2026-01-30 10:24:51 +01:00

Add /users/:id (own) and /members/:id/show/edit for redirect and normal_user ... d318dad612

- read_only and normal_user: allow /users/:id, /users/:id/edit, /users/:id/show/edit (own only)
- normal_user: allow /members/:id/show/edit
- Fixes redirect loop when sidebar links to profile

Docs: align route matrix with PermissionSets, add Role-Load note ... ea1d01fcea

- Table: own_data/read_only/normal_user /users/:id and edit/show/edit; members edit/show/edit
- Integration test sections updated for read_only and normal_user
- Add note on plug reloading role and member_id when needed

Delegate can_access_page? to CheckPagePermission ... a1fe36b7f2

- UI uses same rules as plug (reserved 'new', own/linked path checks)

Tests: read_only/normal_user /users/:id, Ash.read! actor, Authorization own/other ... faee780aab

- Integration: read_only and normal_user GET /users/:id (own) and edit/show/edit return 200
- Integration: read_only GET /users/:id (other) redirects
- Plug test: use group_fixture in setup instead of Ash.read!() without actor
- Authorization: tests for own/other profile and reserved 'new'

moritz added 4 commits 2026-01-30 11:15:39 +01:00

Restrict User.update_user to admin; allow :update for email only ... 14fa873640

- Add ActorIsAdmin policy check (admin permission set only)
- User: policy action(:update_user) forbid_unless + authorize_if ActorIsAdmin
- User: primary :update action accept [:email] for non-admin profile edit

UserLive.Form: gate Member-Linking to admin, use :update for non-admin ... 06d6531569

- Show Member-Linking UI only when can_manage_member_linking (admin)
- perform_member_link_action runs only for admin
- assign_form: non-admin uses :update (email), admin uses :update_user
- Load members for linking only when can_manage_member_linking

UserPoliciesTest: use :update for non-admin own-email and forbid-other ... cf6bd4a6a1

- own_data, read_only, normal_user: can update own email via :update
- cannot update other users: use :update (scope :own forbids)

Docs: note User-Member Linking enforcement in code ... f0134f00ee

- update_user restricted via ActorIsAdmin; Form gates Member-Linking UI

moritz force-pushed feature/388_page_permissions from f0134f00ee to 6e13a3aa34 2026-01-30 11:28:53 +01:00 Compare

moritz changed title from WIP: Page Permission Router Plug closes #388 to Page Permission Router Plug closes #388 2026-01-30 11:29:07 +01:00

moritz added 1 commit 2026-01-30 11:44:33 +01:00

PermissionSetsTest: assert /users/:id instead of /profile in pages ... f8f6583679

Profile is reachable at /users/:id; /profile was removed from PermissionSets.

moritz merged commit b9dd990f52 into main 2026-01-30 12:20:00 +01:00

moritz deleted branch feature/388_page_permissions 2026-01-30 12:20:01 +01:00

moritz referenced this pull request from a commit 2026-01-30 12:20:02 +01:00

Merge pull request 'Page Permission Router Plug closes #388' (#390) from feature/388_page_permissions into main

moritz modified the milestone from Accounts & Logins to We have different roles and permissions 2026-02-03 16:38:33 +01:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

high priority

  

invalid

Something is wrong

  

L

5 h

  

low priority

  

M

3 h

  

medium priority

  

needs refinement

  

optional

  

question

More information is needed

  

S

1 h

  

UX research

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

high priority

invalid

L

low priority

M

medium priority

needs refinement

optional

question

S

UX research

wontfix

Milestone

Clear milestone

No items

No milestone

We have different roles and permissions

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

moritz

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#390

No description provided.