local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Permission system hardening: Role policies and member user-link restriction closes #406 #407

Merged
moritz merged 7 commits from feature/406_permission_hardening into main 2026-02-04 14:52:50 +01:00
Conversation 0 Commits 7 Files changed 13 +649 -82
moritz commented 2026-02-04 13:25:30 +01:00
Owner
Copy link

Description of the implemented changes

The changes were:

  • Bugfixing
  • New Feature
  • Breaking Change
  • Refactoring

What has been changed?

Definition of Done

Code Quality

  • No new technical depths
  • Linting passed
  • Documentation is added were needed

Accessibility

  • New elements are properly defined with html-tags
  • Colour contrast follows WCAG criteria
  • Aria labels are added when needed
  • Everything is accessible by keyboard
  • Tab-Order is comprehensible
  • All interactive elements have a visible focus

Testing

  • Tests for new code are written
  • All tests pass
  • axe-core dev tools show no critical or major issues

Additional Notes

## Description of the implemented changes The changes were: - [ ] Bugfixing - [x] New Feature - [ ] Breaking Change - [x] Refactoring <!--- Describe the goal of the PR in a few words --> ## What has been changed? <!--- List the things you changed --> ## Definition of Done ### Code Quality - [x] No new technical depths - [x] Linting passed - [x] Documentation is added were needed ### Accessibility - [ ] New elements are properly defined with html-tags - [ ] Colour contrast follows WCAG criteria - [ ] Aria labels are added when needed - [ ] Everything is accessible by keyboard - [ ] Tab-Order is comprehensible - [ ] All interactive elements have a visible focus ### Testing - [x] Tests for new code are written - [x] All tests pass - [ ] axe-core dev tools show no critical or major issues ## Additional Notes <!--- Add any additional information for the reviewers here -->
moritz added this to the We have different roles and permissions milestone 2026-02-04 13:25:30 +01:00
moritz self-assigned this 2026-02-04 13:25:30 +01:00
moritz added 4 commits 2026-02-04 13:25:31 +01:00 
- PermissionSets: Role read :all for own_data, read_only, normal_user; admin keeps full CRUD
- Role resource: authorizers and policies with HasPermission
- Tests: role_policies_test.exs (read all, create/update/destroy admin only)
- Fix existing tests to pass actor or authorize?: false for Role operations
Add ForbidMemberUserLinkUnlessAdmin check; forbid_if on Member create/update.
Fix member user-link tests: pass :user in params, assert via reload.
Role: Ash policies (HasPermission); read for all, create/update/destroy admin only.
User–member link: only admins may set :user on Member create/update (ForbidMemberUserLinkUnlessAdmin).
Refactor member user-link tests: shared setup
All checks were successful
continuous-integration/drone/push Build is passing
Details
65ac6ca1d0 
Use describe-level setup for normal_user, admin, unlinked_member.
moritz added 1 commit 2026-02-04 13:48:36 +01:00
Harden member user-link check: argument presence, nil actor, policy scope
All checks were successful
continuous-integration/drone/push Build is passing
Details
f342350537 
- Forbid on :user argument presence (not value) to block unlink via nil/empty
- Defensive nil actor handling; policy restricted to create/update only
- Test: Ash.load with actor; test non-admin cannot unlink via user: nil
- Docs: unlink behaviour and policy split
moritz force-pushed feature/406_permission_hardening from f342350537 to 5194b20b5c 2026-02-04 14:07:49 +01:00 Compare
moritz changed title from WIP: Permission system hardening: Role policies and member user-link restriction closes #406 to Permission system hardening: Role policies and member user-link restriction closes #406 2026-02-04 14:08:56 +01:00
moritz added 1 commit 2026-02-04 14:47:13 +01:00
Fix member unlink: use User update_user action
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/promote/production Build is passing
Details
95472424b1 
UnrelateUserWhenArgumentNil used User :update which only accepts :email.
Switch to :update_user with member: nil so manage_relationship clears member_id.
moritz merged commit 82b3182267 into main 2026-02-04 14:52:50 +01:00
moritz deleted branch feature/406_permission_hardening 2026-02-04 14:52:51 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
high priority

   
invalid

Something is wrong

  
L

5 h

  
low priority

   
M

3 h

  
medium priority

   
needs refinement

   
optional

   
question

More information is needed

  
S

1 h

  
UX research

   
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
high priority
invalid
L
low priority
M
medium priority
needs refinement
optional
question
S
UX research
wontfix
Milestone
Clear milestone
No items
No milestone
We have different roles and permissions
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
moritz
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#407
No description provided.
Delete branch "feature/406_permission_hardening"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?