local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Page Permission Router Plug closes #388 #390

Merged
moritz merged 16 commits from feature/388_page_permissions into main 2026-01-30 12:20:00 +01:00
Conversation 0 Commits 16 Files changed 31 +1736 -257

16 commits

Author SHA1 Message Date
Moritz
f8f6583679 PermissionSetsTest: assert /users/:id instead of /profile in pages
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/promote/production Build is passing
Details 
Profile is reachable at /users/:id; /profile was removed from PermissionSets.
 2026-01-30 11:37:34 +01:00
Moritz
6e13a3aa34
Docs: note User-Member Linking enforcement in code
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/promote/production Build is failing
Details 
- update_user restricted via ActorIsAdmin; Form gates Member-Linking UI
 2026-01-30 11:28:41 +01:00
Moritz
cf6bd4a6a1 UserPoliciesTest: use :update for non-admin own-email and forbid-other 
- own_data, read_only, normal_user: can update own email via :update
- cannot update other users: use :update (scope :own forbids)
 2026-01-30 11:13:34 +01:00
Moritz
06d6531569 UserLive.Form: gate Member-Linking to admin, use :update for non-admin 
- Show Member-Linking UI only when can_manage_member_linking (admin)
- perform_member_link_action runs only for admin
- assign_form: non-admin uses :update (email), admin uses :update_user
- Load members for linking only when can_manage_member_linking
 2026-01-30 11:13:28 +01:00
Moritz
14fa873640 Restrict User.update_user to admin; allow :update for email only 
- Add ActorIsAdmin policy check (admin permission set only)
- User: policy action(:update_user) forbid_unless + authorize_if ActorIsAdmin
- User: primary :update action accept [:email] for non-admin profile edit
 2026-01-30 11:13:23 +01:00
Moritz
faee780aab Tests: read_only/normal_user /users/:id, Ash.read! actor, Authorization own/other
All checks were successful
continuous-integration/drone/push Build is passing
Details 
- Integration: read_only and normal_user GET /users/:id (own) and edit/show/edit return 200
- Integration: read_only GET /users/:id (other) redirects
- Plug test: use group_fixture in setup instead of Ash.read!() without actor
- Authorization: tests for own/other profile and reserved 'new'
 2026-01-30 10:22:34 +01:00
Moritz
a1fe36b7f2 Delegate can_access_page? to CheckPagePermission 
- UI uses same rules as plug (reserved 'new', own/linked path checks)
 2026-01-30 10:22:31 +01:00
Moritz
ea1d01fcea Docs: align route matrix with PermissionSets, add Role-Load note 
- Table: own_data/read_only/normal_user /users/:id and edit/show/edit; members edit/show/edit
- Integration test sections updated for read_only and normal_user
- Add note on plug reloading role and member_id when needed
 2026-01-30 10:22:30 +01:00
Moritz
d318dad612 Add /users/:id (own) and /members/:id/show/edit for redirect and normal_user 
- read_only and normal_user: allow /users/:id, /users/:id/edit, /users/:id/show/edit (own only)
- normal_user: allow /members/:id/show/edit
- Fixes redirect loop when sidebar links to profile
 2026-01-30 10:22:27 +01:00
Moritz
3a7e4000c0
fix: fix warning of unused variable in UserLive.IndexTest
All checks were successful
continuous-integration/drone/push Build is passing
Details
2026-01-30 00:13:40 +01:00
Moritz
28d134b2b0
chore: remove unused aliases in tests
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/promote/production Build is passing
Details 
- Drop unused Member alias from membership and membership_fees test files.
 2026-01-30 00:00:33 +01:00
Moritz
f66cd2933a
docs: add page permission route and test coverage 
- page-permission-route-coverage.md: route matrix, test coverage per role,
  reserved segments.
 2026-01-30 00:00:33 +01:00
Moritz
b55f356762
fix: handle nil member in MembershipFeeHelpers 
- get_last_completed_cycle/2 and get_current_cycle/2 return nil when member is nil.
- Avoids FunctionClauseError when MemberLive.Show receives no member (e.g. after
  redirect or policy filter). Add unit tests for nil member.
 2026-01-30 00:00:32 +01:00
Moritz
ad00e8e7b6
test: add page permission tests and ConnCase role tags 
- ConnCase: add :read_only and :normal_user role tags for tests.
- Add CheckPagePermission plug tests (unit + integration for member, read_only,
  normal_user, admin). Update permission_sets_test (refute "/" for own_data).
- Profile navigation, global_settings, role_live, membership_fee_type: use
  users with role for "/" access; expect redirect for own_data on /settings
  and /admin/roles.
 2026-01-30 00:00:32 +01:00
Moritz
626e8a872e
feat: restrict own_data to profile and linked member pages 
- Remove "/" from own_data pages (Mitglied redirected to profile at root).
- Add /users/:id, /users/:id/edit, /users/:id/show/edit and member edit pages
  for own_data so members can access own profile and linked member only.
 2026-01-30 00:00:31 +01:00
Moritz
b10b9c893c
feat: add CheckPagePermission plug for page-level authorization 
- Plug checks PermissionSets page list; redirects unauthorized to profile or sign-in.
- Router: add plug to :browser pipeline; LiveHelpers: check_page_permission_on_params
  for client-side navigation (push_patch).
 2026-01-30 00:00:31 +01:00