Permission system hardening: Role policies and member user-link restriction closes #406 #407

Merged

moritz merged 7 commits from feature/406_permission_hardening into main 2026-02-04 14:52:50 +01:00

Conversation 0 Commits 7 Files changed 13 +649 -82

7 commits

Author	SHA1	Message	Date
Moritz	95472424b1	Fix member unlink: use User update_user action ... UnrelateUserWhenArgumentNil used User :update which only accepts :email. Switch to :update_user with member: nil so manage_relationship clears member_id.	2026-02-04 14:46:23 +01:00
Moritz	5194b20b5c	Fix unlink-by-omission: on_missing :ignore, test, doc, string-key ... - Member update_member: on_missing :unrelate → :ignore (no unlink when :user omitted) - Test: normal_user update linked member without :user keeps link - Doc: unlink only explicit (user: nil), admin-only; Actor.admin?(nil) note - Check: defense-in-depth for "user" string key	2026-02-04 14:07:39 +01:00
Moritz	543fded102	Harden member user-link check: argument presence, nil actor, policy scope ... - Forbid on :user argument presence (not value) to block unlink via nil/empty - Defensive nil actor handling; policy restricted to create/update only - Test: Ash.load with actor; test non-admin cannot unlink via user: nil - Docs: unlink behaviour and policy split	2026-02-04 14:07:39 +01:00
Moritz	34e049ef32	Refactor member user-link tests: shared setup ... Use describe-level setup for normal_user, admin, unlinked_member.	2026-02-04 14:07:39 +01:00
Moritz	54e419ed4c	Docs: permission hardening Role and member user link ... Role: Ash policies (HasPermission); read for all, create/update/destroy admin only. User–member link: only admins may set :user on Member create/update (ForbidMemberUserLinkUnlessAdmin).	2026-02-04 14:07:39 +01:00
Moritz	26fbafdd9d	Restrict member user link to admins (forbid policy) ... Add ForbidMemberUserLinkUnlessAdmin check; forbid_if on Member create/update. Fix member user-link tests: pass :user in params, assert via reload.	2026-02-04 14:07:38 +01:00
Moritz	4d3a64c177	Add Role resource policies (defense-in-depth) ... - PermissionSets: Role read :all for own_data, read_only, normal_user; admin keeps full CRUD - Role resource: authorizers and policies with HasPermission - Tests: role_policies_test.exs (read all, create/update/destroy admin only) - Fix existing tests to pass actor or authorize?: false for Role operations	2026-02-04 14:07:38 +01:00