defmodule Mv.Authorization.Checks.ActorIsAdmin do
  @moduledoc """
  Policy check: true when the actor is the system user or has permission_set_name "admin".

  Used to restrict actions (e.g. User.update_user for member link/unlink) to admins only.
  Delegates to `Mv.Authorization.Actor.admin?/1`, which returns true for the system actor
  or for a user whose role has permission_set_name "admin".
  """
  use Ash.Policy.SimpleCheck

  alias Mv.Authorization.Actor

  @impl true
  def describe(_opts), do: "actor has admin permission set"

  @impl true
  def match?(actor, _context, _opts), do: Actor.admin?(actor)
end