mitgliederverwaltung/docs/feature-roadmap.md

22 KiB
Raw Blame History

Feature Roadmap & Implementation Plan

Project: Mila - Membership Management System
Last Updated: 2026-03-03
Status: Active Development


This is the living per-area roadmap: shipped state (coarse — see development-progress-log.md for detail), open issues, and the missing-features backlog. For the actual, current endpoints see lib/mv_web/router.ex and docs/page-permission-route-coverage.md.


Feature Area Breakdown

Feature Areas

1. Authentication & Authorization 🔐

Current State:

  • OIDC authentication (Rauthy)
  • Password-based authentication
  • User sessions and tokens
  • Basic authentication flows
  • OIDC account linking with password verification (PR #192, closes #171)
  • Secure OIDC email collision handling (PR #192)
  • Automatic linking for passwordless users (PR #192)
  • Page Permission Router Plug - Page-level authorization (PR #390, closes #388, 2026-01-27)
    • Route-based permission checking
    • Automatic redirects for unauthorized access
    • Integration with permission sets

Closed Issues:

  • #171 - OIDC handling and linking (closed 2025-11-13)
  • #146 - Translate "or" in the login screen — fixed via MvWeb.AuthOverridesDE locale-specific module (2026-03-13)
  • #144 - Add language switch dropdown to login screen — fixed locale selector bug with Gettext.get_locale(MvWeb.Gettext) (2026-03-13)

Open Issues: (none remaining for Authentication UI)

Current State:

  • Role-based access control (RBAC) - Implemented (2026-01-08, PR #346, closes #345)
  • Permission system - Four hardcoded permission sets (own_data, read_only, normal_user, admin)
  • Database-backed roles - Roles table with permission set references
  • Resource policies - Member resource policies with scope filtering
  • Page-level authorization - LiveView page access control
  • System role protection - Critical roles cannot be deleted

Implemented: OIDC-only mode:

  • Admin Settings: when OIDC-only is enabled, the "Allow direct registration" toggle is disabled with a hint.
  • Backend rejects password sign-in and register_with_password when OIDC-only is active.
  • GET /sign-in redirects to OIDC when OIDC-only and OIDC are configured (MvWeb.Plugs.OidcOnlySignInRedirect). The oidc_only setting and ENV are read via Mv.Config.oidc_only?/0.

Missing Features:

  • Password reset flow
  • Email verification
  • Two-factor authentication (future)

Related Issues:

  • #345 - Member Resource Policies (closed 2026-01-13)
  • #191 - Implement Roles in Ash (M) - Completed
  • #190 - Implement Permissions in Ash (M) - Completed
  • #151 - Define implementation plan for roles and permissions (M) - Completed
  • #388 - Page Permission Router Plug (closed 2026-01-27)
  • #386 - CustomField Resource Policies (closed 2026-01-27)
  • #369 - CustomFieldValue Resource Policies (closed 2026-01-27)
  • #363 - User Resource Policies (closed 2026-01-27)

2. Member Management 👥

Current State:

  • Member CRUD operations
  • Member profile with personal data
  • Address management
  • Membership status tracking
  • Full-text search (PostgreSQL tsvector)
  • Fuzzy search with trigram matching (PR #187, closes #162)
  • Combined FTS + trigram search (PR #187)
  • 6 GIN trigram indexes for fuzzy matching (PR #187)
  • Sorting by basic fields
  • User-Member linking (optional 1:1)
  • Email synchronization between User and Member
  • Bulk email copy - Copy selected members' email addresses to clipboard (Issue #230)
  • Groups - Organize members into groups (PR #378, #382, #423, closes #371, #372, #374, #375, 2026-01/02)
    • Many-to-many relationship with groups
    • Groups management UI (/groups)
    • Filter and sort by groups in member list
    • Per-group filter in member list: one row per group with All / Yes / No (All/Alle); URL params group_<uuid>=in|not_in
    • Groups displayed in member overview and detail views
    • Member search includes group names (search by group name finds members in that group; search_vector + trigger on member_groups)
  • CSV Import - Import members from CSV files (PR #359, #394, #395, closes #335, #336, #338, 2026-01-27)
    • Member field import
    • Custom field value import
    • Real-time progress tracking
    • Error reporting

Closed Issues:

  • #162 - Fuzzy and substring search (closed 2025-11-12)
  • #371 - Add groups resource (closed 2026-01-27)
  • #372 - Groups Admin UI (closed 2026-01-27)
  • #375 - Search Integration (group names in member search) (implemented 2026-02-17)
  • #335 - CSV Import UI (closed 2026-01-27)
  • #336 - Config for import limits (closed 2026-01-27)
  • #338 - Custom field CSV import (closed 2026-01-27)

Open Issues:

  • #169 - Allow combined creation of Users/Members (M, Low priority)
  • #168 - Allow user-member association in edit/create views (M, High priority)
  • #165 - Pagination for list of members (S, Low priority)
  • #160 - Implement clear icon in searchbar (S, Low priority)
  • #154 - Concept advanced search (Low priority, needs refinement)

Missing Features:

  • Advanced filters (date ranges, multiple criteria)
  • Pagination (currently all members loaded)
  • Bulk operations (bulk delete, bulk update)
  • Excel import for members
  • Member profile photos/avatars
  • Member history/audit log
  • Duplicate detection

3. Custom Fields (CustomFieldValue System) 🔧

Current State:

  • CustomFieldValue types (string, integer, boolean, date, email)
  • CustomFieldValue type management
  • Dynamic custom field value assignment to members
  • Union type storage (JSONB)
  • Default field visibility configuration

Closed Issues:

  • #194 - Custom Fields: Harden implementation (S)
  • #197 - Custom Fields: Add option to show custom fields in member overview (M)
  • #161 - Remove birthday field from default configuration (S) - Closed 2025-12-02

Open Issues:

  • #157 - Concept how custom fields are handled (M, High priority) [0/4 tasks]
  • #153 - Sorting functionalities for custom fields (M, Low priority)

Missing Features:

  • Field groups/categories
  • Conditional fields (show field X if field Y = value)
  • Field validation rules (min/max, regex patterns)
  • Required custom fields
  • Multi-select fields
  • File upload fields
  • Sorting by custom fields
  • Searching by custom fields

4. User Management 👤

Current State:

  • User CRUD operations
  • User list view
  • User profile view
  • Admin password setting
  • User-Member relationship

Missing Features:

  • User roles assignment UI
  • User permissions management
  • User activity log
  • User invitation system
  • User onboarding flow
  • Self-service profile editing
  • Password change flow

5. Navigation & UX 🧭

Current State:

  • Basic navigation structure
  • Navbar with profile button
  • Member list as landing page
  • Breadcrumbs (basic)
  • Flash: auto-dismiss and consistency (Design Guidelines §9)
    • Auto-dismiss implemented via the FlashAutoDismiss JS hook (assets/js/app.js) driven by the data-auto-clear-ms and data-clear-flash-key attributes on the flash component (MvWeb.CoreComponents.flash/1); the per-flash delay is set through the component's auto_clear_ms attribute, and the dismiss button is kept for accessibility.
    • On timeout the hook pushes LiveView's built-in lv:clear-flash event (no custom handle_event) and hides the element.
    • All flashes (including “Email copied”) use the same variants (info, success, warning, error); no special tone. See DESIGN_GUIDELINES.md §9.
    • Per-kind default durations (info/success 46s, warning 68s, error 812s) are not built in — the delay is a single explicit auto_clear_ms value per flash, not a kind-based default.

Open Issues:

  • #188 - Check if searching just on typing is accessible (S, Low priority)
  • #174 - Accessibility - aria-sort in tables (S, Low priority)

Missing Features:

  • Dashboard/Home page
  • Quick actions menu
  • Recent activity widget
  • Keyboard shortcuts
  • Mobile navigation
  • Context-sensitive help
  • Onboarding tooltips

6. Internationalization (i18n) 🌍

Current State:

  • Gettext integration
  • German translations
  • English translations
  • Translation files for auth, errors, default

Open Issues:

  • #146 - Translate "or" in the login screen (Low)
  • #144 - Add language switch dropdown to login screen (Low)

Missing Features:

  • Language switcher UI
  • User-specific language preferences
  • Date/time localization
  • Number formatting (currency, decimals)
  • Complete translation coverage
  • RTL support (future)

7. Payment & Fees Management 💰

Current State:

  • Basic "paid" boolean field on members
  • Membership Fee Types Management - Full CRUD implementation
  • Membership Fee Cycles - Individual billing cycles per member
  • Membership Fee Settings - Global settings (include_joining_cycle, default_fee_type)
  • Cycle Generation - Automatic cycle generation for members
  • Payment Status Tracking - Status per cycle (unpaid, paid, suspended)
  • Member Fee Assignment - Members can be assigned to fee types
  • Cycle Regeneration - Regenerate cycles when fee type changes
  • UI Components - Membership fee status in member list and detail views

Open Issues:

  • #156 - Set up & document testing environment for vereinfacht.digital (L, Low priority)
  • #226 - Payment/Membership Fee Mockup Pages (Preview) - Implemented

Implemented Pages:

  • /membership_fee_types - Membership Fee Types Management (fully functional)
  • /membership_fee_settings - Global Membership Fee Settings (fully functional)
  • /members/:id - Member detail view with membership fee cycles

Missing Features:

  • Payment records/transactions (external payment tracking)
  • Payment reminders
  • Invoice generation
  • Memberfinance-contact sync with vereinfacht.digital API (see docs/vereinfacht-api.md); transaction import / full API integration
  • SEPA direct debit support
  • Payment reports

Related Milestones:

  • Import transactions via vereinfacht API

8. Admin Panel & Configuration ⚙️

Current State:

  • AshAdmin integration (basic)
  • Global Settings Management - /settings page (singleton resource)
  • Club/Organization profile - Club name configuration
  • Member Field Visibility Settings - Configure which fields show in overview
  • CustomFieldValue type management UI - Full CRUD for custom fields
  • Role Management UI - Full CRUD for roles (/admin/roles)
  • Membership Fee Settings - Global fee settings management

Open Issues:

  • #186 - Create Architecture docs in Repo (S, Low priority)

Implemented Features:

  • SMTP configuration Configure mail server via ENV (SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD, SMTP_PASSWORD_FILE, SMTP_SSL) and Admin Settings (UI), with ENV taking priority. Test email from Settings SMTP section. Production warning when SMTP is not configured. See docs/smtp-configuration-concept.md.

Missing Features:

  • Email templates configuration
  • System health dashboard
  • Audit log viewer
  • Backup/restore functionality

Related Milestones:

  • As Admin I can configure settings globally

9. Communication & Notifications 📧

Current State:

  • Swoosh mailer integration
  • Email confirmation (via AshAuthentication)
  • Password reset emails (via AshAuthentication)
  • SMTP configuration via ENV and Admin Settings (see Admin Panel section)
  • ⚠️ No member communication features

Missing Features:

  • Email broadcast to members
  • Email templates (customizable)
  • Email to member groups/filters

10. Reporting & Analytics 📊

Current State:

  • Statistics page (MVP) /statistics with active/inactive member counts, joins/exits by year, cycle totals, open amount (2026-02-10). Backed by Mv.Statistics (read-only Ash reads on Member + MembershipFeeCycle, no new resources); displayed in MvWeb.StatisticsLive. Permission: read_only, normal_user, admin (own_data denied).

MVP design decisions:

  • Charts are HTML/CSS + SVG only — no Contex, no Chart.js (deliberate).
  • Open amount = total unpaid only; no overdue vs. not-yet-due split in the MVP.
  • Out of scope (deferred follow-ups): export (CSV/PDF), caching, month/quarter filters, "members per fee type" / "members per group" stats, overdue split, new tables/resources.

Missing Features:

  • Extended member statistics dashboard
  • Membership growth charts
  • Payment reports
  • Custom report builder
  • Export to PDF/CSV/Excel
  • Scheduled reports
  • Data visualization

11. Data Import/Export 📥📤

Current State:

  • Seed data script
  • CSV Import Templates - German and English templates (#329, 2026-01-13)
    • Template files in priv/static/templates/member_import_de.csv and member_import_en.csv
    • CSV specification documented in docs/csv-member-import-v1.md
  • CSV Import Implementation - Full CSV import feature (#335, #336, #338, 2026-01-27)
    • Import/Export LiveView (/import_export)
    • Member field import (email, first_name, last_name, etc.)
    • Custom field value import (all types: string, integer, boolean, date, email)
    • Real-time progress tracking
    • Error and warning reporting with line numbers
    • Configurable limits (max file size, max rows)
    • Chunked processing (200 rows per chunk)
    • Admin-only access

Closed Issues:

  • #335 - CSV Import UI (closed 2026-01-27)
  • #336 - Config for import limits (closed 2026-01-27)
  • #338 - Custom field CSV import (closed 2026-01-27)

Missing Features:

  • Excel import for members
  • Import validation preview (before import)
  • Bulk data export
  • Backup export
  • Data migration tools

12. Testing & Quality Assurance 🧪

Current State:

  • ExUnit test suite
  • Unit tests for resources
  • Integration tests for email sync
  • LiveView tests
  • Component tests
  • CI/CD pipeline (Drone)

Missing Features:

  • E2E tests (browser automation)
  • Performance testing
  • Load testing
  • Security penetration testing
  • Accessibility testing automation
  • Visual regression testing
  • Test coverage reporting

13. Infrastructure & DevOps 🚀

Current State:

  • Docker Compose for development
  • Production Dockerfile
  • Drone CI/CD pipeline
  • Renovate for dependency updates
  • Database seeds split into bootstrap (all envs) and dev-only seeds (20 members, groups; 2026-03-03)
  • ⚠️ No staging environment

Open Issues:

  • #186 - Create Architecture docs in Repo (S, Low priority)

Missing Features:

  • Staging environment
  • Automated deployment
  • Database backup automation
  • Monitoring and alerting
  • Error tracking (Sentry, etc.)
  • Log aggregation
  • Health checks and uptime monitoring

Related Milestones:

  • We have a staging environment
  • We implement security measures

14. Security & Compliance 🔒

Current State:

  • OIDC authentication
  • Password hashing (bcrypt)
  • CSRF protection
  • SQL injection prevention (Ecto)
  • Sobelow security scans
  • Dependency auditing

Missing Features:

  • Role-based access control (see #1)
  • Audit logging
  • GDPR compliance features (data export, deletion)
  • Session management (timeout, concurrent sessions)
  • Rate limiting
  • IP whitelisting/blacklisting
  • Security headers configuration
  • Data retention policies

Related Milestones:

  • We implement security measures

15. Accessibility & Usability

Current State:

  • Semantic HTML
  • Basic ARIA labels
  • ⚠️ Needs comprehensive audit

Open Issues:

  • #188 - Check if searching just on typing is accessible (S, Low priority)
  • #174 - Accessibility - aria-sort in tables (S, Low priority)

Missing Features:

  • Comprehensive accessibility audit (WCAG 2.1 Level AA)
  • Keyboard navigation improvements
  • Screen reader optimization
  • High contrast mode
  • Font size adjustments
  • Focus management
  • Skip links
  • Error announcements

Feature Area Summary

Feature Area Current Status Priority Complexity
Authentication & Authorization 60% complete High Medium
Member Management 85% complete High Low-Medium
Custom Fields 50% complete High Medium
User Management 60% complete Medium Low
Navigation & UX 50% complete Medium Low
Internationalization 70% complete Low Low
Payment & Fees 5% complete High High
Admin Panel 20% complete Medium Medium
Communication 30% complete Medium Medium
Reporting 0% complete Medium Medium-High
Import/Export 10% complete Low Medium
Testing & QA 60% complete Medium Low-Medium
Infrastructure 70% complete Medium Medium
Security 50% complete High Medium-High
Accessibility 40% complete Medium Medium

Open Milestones (From Issues)

  1. Ich kann einen neuen Kontakt anlegen (Closed)
  2. I can search through the list of members - fulltext (Closed) - #162 implemented (Fuzzy Search), #154 needs refinement
  3. 🔄 I can sort the list of members for specific fields (Open) - Related: #153
  4. 🔄 We have a intuitive navigation structure (Open)
  5. 🔄 We have different roles and permissions (Open) - Related: #191, #190, #151
  6. 🔄 As Admin I can configure settings globally (Open)
  7. Accounts & Logins (Partially closed) - #171 implemented (OIDC linking), #169/#168 still open
  8. 🔄 I can add custom fields (Open) - Related: #194, #157, #161
  9. 🔄 Import transactions via vereinfacht API (Open) - Related: #156
  10. 🔄 We have a staging environment (Open)
  11. 🔄 We implement security measures (Open)

Endpoints

For the real, current routes and their authorization, see lib/mv_web/router.ex and docs/page-permission-route-coverage.md (the per-permission-set route matrix). The Ash resource actions are defined on each resource module under lib/. An earlier speculative API catalog for not-yet-existing resources (Payment, Invoice, Report, Notification, AuditLog, Organization) was removed — those are tracked above as missing features per area, not as endpoint specs.


References: