local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Page Permission Router Plug closes #388 #390

Merged
moritz merged 16 commits from feature/388_page_permissions into main 2026-01-30 12:20:00 +01:00
Conversation 0 Commits 16 Files changed 31 +106 -6
2 changed files with 106 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit faee780aab - Show all commits

33
test/mv_web/authorization_test.exs
View file

@ -183,6 +183,39 @@ defmodule MvWeb.AuthorizationTest do
assert Authorization.can_access_page?(read_only_user, "/members/123/edit") == false
end
test "read_only can access own profile /users/:id only" do
read_only_user = %{
id: "read-only-123",
role: %{permission_set_name: "read_only"}
}
assert Authorization.can_access_page?(read_only_user, "/users/read-only-123") == true
assert Authorization.can_access_page?(read_only_user, "/users/read-only-123/edit") == true
assert Authorization.can_access_page?(read_only_user, "/users/other-id") == false
assert Authorization.can_access_page?(read_only_user, "/users/other-id/edit") == false
end
test "normal_user can access own profile /users/:id only" do
normal_user = %{
id: "normal-456",
role: %{permission_set_name: "normal_user"}
}
assert Authorization.can_access_page?(normal_user, "/users/normal-456") == true
assert Authorization.can_access_page?(normal_user, "/users/normal-456/edit") == true
assert Authorization.can_access_page?(normal_user, "/users/other-id") == false
end
test "reserved segment 'new' is not matched by :id" do
read_only_user = %{
id: "read-only-123",
role: %{permission_set_name: "read_only"}
}
assert Authorization.can_access_page?(read_only_user, "/members/new") == false
assert Authorization.can_access_page?(read_only_user, "/groups/new") == false
end
test "returns false for nil user" do
assert Authorization.can_access_page?(nil, "/members") == false
assert Authorization.can_access_page?(nil, "/admin/roles") == false

79
test/mv_web/plugs/check_page_permission_test.exs
View file

@ -292,7 +292,14 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
setup %{conn: conn, current_user: current_user} do
member = Mv.Fixtures.member_fixture()
role = Mv.Fixtures.role_fixture("admin")
{:ok, conn: conn, current_user: current_user, member_id: member.id, role_id: role.id}
group = Mv.Fixtures.group_fixture()
{:ok,
conn: conn,
current_user: current_user,
member_id: member.id,
role_id: role.id,
group_slug: group.slug}
end
@tag role: :member
@ -364,11 +371,12 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
end
@tag role: :member
test "GET /groups/:slug redirects to user profile", %{conn: conn, current_user: user} do
group = Mv.Membership.Group |> Ash.Query.limit(1) |> Ash.read!() |> List.first()
if group,
do: assert(redirected_to(get(conn, "/groups/#{group.slug}")) == "/users/#{user.id}")
test "GET /groups/:slug redirects to user profile", %{
conn: conn,
current_user: user,
group_slug: slug
} do
assert redirected_to(get(conn, "/groups/#{slug}")) == "/users/#{user.id}"
end
@tag role: :member
@ -543,6 +551,27 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
conn = get(conn, "/groups/#{slug}")
assert conn.status == 200
end
@tag role: :read_only
test "GET /users/:id (own profile) returns 200", %{conn: conn, current_user: user} do
conn = get(conn, "/users/#{user.id}")
assert conn.status == 200
end
@tag role: :read_only
test "GET /users/:id/edit (own profile edit) returns 200", %{conn: conn, current_user: user} do
conn = get(conn, "/users/#{user.id}/edit")
assert conn.status == 200
end
@tag role: :read_only
test "GET /users/:id/show/edit (own profile show edit) returns 200", %{
conn: conn,
current_user: user
} do
conn = get(conn, "/users/#{user.id}/show/edit")
assert conn.status == 200
end
end
describe "integration: read_only denied paths via full router" do
@ -594,6 +623,17 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
assert redirected_to(conn) == "/users/#{user.id}"
end
@tag role: :read_only
test "GET /users/:id (other user) redirects to user profile", %{
conn: conn,
current_user: user,
role_id: _role_id
} do
other_user = Mv.Fixtures.user_with_role_fixture("admin")
conn = get(conn, "/users/#{other_user.id}")
assert redirected_to(conn) == "/users/#{user.id}"
end
@tag role: :read_only
test "GET /settings redirects to user profile", %{conn: conn, current_user: user} do
conn = get(conn, "/settings")
@ -701,6 +741,33 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
conn = get(conn, "/groups/#{slug}")
assert conn.status == 200
end
@tag role: :normal_user
test "GET /members/:id/show/edit returns 200", %{conn: conn, member_id: id} do
conn = get(conn, "/members/#{id}/show/edit")
assert conn.status == 200
end
@tag role: :normal_user
test "GET /users/:id (own profile) returns 200", %{conn: conn, current_user: user} do
conn = get(conn, "/users/#{user.id}")
assert conn.status == 200
end
@tag role: :normal_user
test "GET /users/:id/edit (own profile edit) returns 200", %{conn: conn, current_user: user} do
conn = get(conn, "/users/#{user.id}/edit")
assert conn.status == 200
end
@tag role: :normal_user
test "GET /users/:id/show/edit (own profile show edit) returns 200", %{
conn: conn,
current_user: user
} do
conn = get(conn, "/users/#{user.id}/show/edit")
assert conn.status == 200
end
end
describe "integration: normal_user denied paths via full router" do