local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Page Permission Router Plug closes #388 #390

Merged
moritz merged 16 commits from feature/388_page_permissions into main 2026-01-30 12:20:00 +01:00
Conversation 0 Commits 16 Files changed 31 +9 -6
1 changed files with 9 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit cf6bd4a6a1 - Show all commits

15
test/mv/accounts/user_policies_test.exs
View file

@ -95,9 +95,10 @@ defmodule Mv.Accounts.UserPoliciesTest do
test "can update own email", %{user: user} do test "can update own email", %{user: user} do
new_email = "updated#{System.unique_integer([:positive])}@example.com" new_email = "updated#{System.unique_integer([:positive])}@example.com"
# Non-admins use :update (email only); :update_user is admin-only (member link/unlink).
{:ok, updated_user} = {:ok, updated_user} =
user user
|> Ash.Changeset.for_update(:update_user, %{email: new_email}) |> Ash.Changeset.for_update(:update, %{email: new_email})
|> Ash.update(actor: user) |> Ash.update(actor: user)
assert updated_user.email == Ash.CiString.new(new_email) assert updated_user.email == Ash.CiString.new(new_email)
@ -118,7 +119,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do
assert_raise Ash.Error.Forbidden, fn -> assert_raise Ash.Error.Forbidden, fn ->
other_user other_user
|> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"}) |> Ash.Changeset.for_update(:update, %{email: "hacked@example.com"})
|> Ash.update!(actor: user) |> Ash.update!(actor: user)
end end
end end
@ -163,9 +164,10 @@ defmodule Mv.Accounts.UserPoliciesTest do
test "can update own email", %{user: user} do test "can update own email", %{user: user} do
new_email = "updated#{System.unique_integer([:positive])}@example.com" new_email = "updated#{System.unique_integer([:positive])}@example.com"
# Non-admins use :update (email only); :update_user is admin-only (member link/unlink).
{:ok, updated_user} = {:ok, updated_user} =
user user
|> Ash.Changeset.for_update(:update_user, %{email: new_email}) |> Ash.Changeset.for_update(:update, %{email: new_email})
|> Ash.update(actor: user) |> Ash.update(actor: user)
assert updated_user.email == Ash.CiString.new(new_email) assert updated_user.email == Ash.CiString.new(new_email)
@ -186,7 +188,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do
assert_raise Ash.Error.Forbidden, fn -> assert_raise Ash.Error.Forbidden, fn ->
other_user other_user
|> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"}) |> Ash.Changeset.for_update(:update, %{email: "hacked@example.com"})
|> Ash.update!(actor: user) |> Ash.update!(actor: user)
end end
end end
@ -231,9 +233,10 @@ defmodule Mv.Accounts.UserPoliciesTest do
test "can update own email", %{user: user} do test "can update own email", %{user: user} do
new_email = "updated#{System.unique_integer([:positive])}@example.com" new_email = "updated#{System.unique_integer([:positive])}@example.com"
# Non-admins use :update (email only); :update_user is admin-only (member link/unlink).
{:ok, updated_user} = {:ok, updated_user} =
user user
|> Ash.Changeset.for_update(:update_user, %{email: new_email}) |> Ash.Changeset.for_update(:update, %{email: new_email})
|> Ash.update(actor: user) |> Ash.update(actor: user)
assert updated_user.email == Ash.CiString.new(new_email) assert updated_user.email == Ash.CiString.new(new_email)
@ -254,7 +257,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do
assert_raise Ash.Error.Forbidden, fn -> assert_raise Ash.Error.Forbidden, fn ->
other_user other_user
|> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"}) |> Ash.Changeset.for_update(:update, %{email: "hacked@example.com"})
|> Ash.update!(actor: user) |> Ash.update!(actor: user)
end end
end end