22 KiB
Feature Roadmap & Implementation Plan
Project: Mila - Membership Management System
Last Updated: 2026-03-03
Status: Active Development
This is the living per-area roadmap: shipped state (coarse — see development-progress-log.md for detail), open issues, and the missing-features backlog. For the actual, current endpoints see lib/mv_web/router.ex and docs/page-permission-route-coverage.md.
Feature Area Breakdown
Feature Areas
1. Authentication & Authorization 🔐
Current State:
- ✅ OIDC authentication (Rauthy)
- ✅ Password-based authentication
- ✅ User sessions and tokens
- ✅ Basic authentication flows
- ✅ OIDC account linking with password verification (PR #192, closes #171)
- ✅ Secure OIDC email collision handling (PR #192)
- ✅ Automatic linking for passwordless users (PR #192)
- ✅ Page Permission Router Plug - Page-level authorization (PR #390, closes #388, 2026-01-27)
- Route-based permission checking
- Automatic redirects for unauthorized access
- Integration with permission sets
Closed Issues:
- ✅ #171 - OIDC handling and linking (closed 2025-11-13)
- ✅ #146 - Translate "or" in the login screen — fixed via
MvWeb.AuthOverridesDElocale-specific module (2026-03-13) - ✅ #144 - Add language switch dropdown to login screen — fixed locale selector bug with
Gettext.get_locale(MvWeb.Gettext)(2026-03-13)
Open Issues: (none remaining for Authentication UI)
Current State:
- ✅ Role-based access control (RBAC) - Implemented (2026-01-08, PR #346, closes #345)
- ✅ Permission system - Four hardcoded permission sets (
own_data,read_only,normal_user,admin) - ✅ Database-backed roles - Roles table with permission set references
- ✅ Resource policies - Member resource policies with scope filtering
- ✅ Page-level authorization - LiveView page access control
- ✅ System role protection - Critical roles cannot be deleted
Implemented: OIDC-only mode:
- ✅ Admin Settings: when OIDC-only is enabled, the "Allow direct registration" toggle is disabled with a hint.
- ✅ Backend rejects password sign-in and
register_with_passwordwhen OIDC-only is active. - ✅ GET
/sign-inredirects to OIDC when OIDC-only and OIDC are configured (MvWeb.Plugs.OidcOnlySignInRedirect). Theoidc_onlysetting and ENV are read viaMv.Config.oidc_only?/0.
Missing Features:
- ❌ Password reset flow
- ❌ Email verification
- ❌ Two-factor authentication (future)
Related Issues:
- ✅ #345 - Member Resource Policies (closed 2026-01-13)
- ✅ #191 - Implement Roles in Ash (M) - Completed
- ✅ #190 - Implement Permissions in Ash (M) - Completed
- ✅ #151 - Define implementation plan for roles and permissions (M) - Completed
- ✅ #388 - Page Permission Router Plug (closed 2026-01-27)
- ✅ #386 - CustomField Resource Policies (closed 2026-01-27)
- ✅ #369 - CustomFieldValue Resource Policies (closed 2026-01-27)
- ✅ #363 - User Resource Policies (closed 2026-01-27)
2. Member Management 👥
Current State:
- ✅ Member CRUD operations
- ✅ Member profile with personal data
- ✅ Address management
- ✅ Membership status tracking
- ✅ Full-text search (PostgreSQL tsvector)
- ✅ Fuzzy search with trigram matching (PR #187, closes #162)
- ✅ Combined FTS + trigram search (PR #187)
- ✅ 6 GIN trigram indexes for fuzzy matching (PR #187)
- ✅ Sorting by basic fields
- ✅ User-Member linking (optional 1:1)
- ✅ Email synchronization between User and Member
- ✅ Bulk email copy - Copy selected members' email addresses to clipboard (Issue #230)
- ✅ Groups - Organize members into groups (PR #378, #382, #423, closes #371, #372, #374, #375, 2026-01/02)
- Many-to-many relationship with groups
- Groups management UI (
/groups) - Filter and sort by groups in member list
- Per-group filter in member list: one row per group with All / Yes / No (All/Alle); URL params
group_<uuid>=in|not_in - Groups displayed in member overview and detail views
- Member search includes group names (search by group name finds members in that group; search_vector + trigger on member_groups)
- ✅ CSV Import - Import members from CSV files (PR #359, #394, #395, closes #335, #336, #338, 2026-01-27)
- Member field import
- Custom field value import
- Real-time progress tracking
- Error reporting
Closed Issues:
- ✅ #162 - Fuzzy and substring search (closed 2025-11-12)
- ✅ #371 - Add groups resource (closed 2026-01-27)
- ✅ #372 - Groups Admin UI (closed 2026-01-27)
- ✅ #375 - Search Integration (group names in member search) (implemented 2026-02-17)
- ✅ #335 - CSV Import UI (closed 2026-01-27)
- ✅ #336 - Config for import limits (closed 2026-01-27)
- ✅ #338 - Custom field CSV import (closed 2026-01-27)
Open Issues:
- #169 - Allow combined creation of Users/Members (M, Low priority)
- #168 - Allow user-member association in edit/create views (M, High priority)
- #165 - Pagination for list of members (S, Low priority)
- #160 - Implement clear icon in searchbar (S, Low priority)
- #154 - Concept advanced search (Low priority, needs refinement)
Missing Features:
- ❌ Advanced filters (date ranges, multiple criteria)
- ❌ Pagination (currently all members loaded)
- ❌ Bulk operations (bulk delete, bulk update)
- ❌ Excel import for members
- ❌ Member profile photos/avatars
- ❌ Member history/audit log
- ❌ Duplicate detection
3. Custom Fields (CustomFieldValue System) 🔧
Current State:
- ✅ CustomFieldValue types (string, integer, boolean, date, email)
- ✅ CustomFieldValue type management
- ✅ Dynamic custom field value assignment to members
- ✅ Union type storage (JSONB)
- ✅ Default field visibility configuration
Closed Issues:
- #194 - Custom Fields: Harden implementation (S)
- #197 - Custom Fields: Add option to show custom fields in member overview (M)
- #161 - Remove birthday field from default configuration (S) - Closed 2025-12-02
Open Issues:
- #157 - Concept how custom fields are handled (M, High priority) [0/4 tasks]
- #153 - Sorting functionalities for custom fields (M, Low priority)
Missing Features:
- ❌ Field groups/categories
- ❌ Conditional fields (show field X if field Y = value)
- ❌ Field validation rules (min/max, regex patterns)
- ❌ Required custom fields
- ❌ Multi-select fields
- ❌ File upload fields
- ❌ Sorting by custom fields
- ❌ Searching by custom fields
4. User Management 👤
Current State:
- ✅ User CRUD operations
- ✅ User list view
- ✅ User profile view
- ✅ Admin password setting
- ✅ User-Member relationship
Missing Features:
- ❌ User roles assignment UI
- ❌ User permissions management
- ❌ User activity log
- ❌ User invitation system
- ❌ User onboarding flow
- ❌ Self-service profile editing
- ❌ Password change flow
5. Navigation & UX 🧭
Current State:
- ✅ Basic navigation structure
- ✅ Navbar with profile button
- ✅ Member list as landing page
- ✅ Breadcrumbs (basic)
- ✅ Flash: auto-dismiss and consistency (Design Guidelines §9)
- Auto-dismiss implemented via the
FlashAutoDismissJS hook (assets/js/app.js) driven by thedata-auto-clear-msanddata-clear-flash-keyattributes on the flash component (MvWeb.CoreComponents.flash/1); the per-flash delay is set through the component'sauto_clear_msattribute, and the dismiss button is kept for accessibility. - On timeout the hook pushes LiveView's built-in
lv:clear-flashevent (no customhandle_event) and hides the element. - All flashes (including “Email copied”) use the same variants (info, success, warning, error); no special tone. See
DESIGN_GUIDELINES.md§9. - ❌ Per-kind default durations (info/success 4–6s, warning 6–8s, error 8–12s) are not built in — the delay is a single explicit
auto_clear_msvalue per flash, not a kind-based default.
- Auto-dismiss implemented via the
Open Issues:
- #188 - Check if searching just on typing is accessible (S, Low priority)
- #174 - Accessibility - aria-sort in tables (S, Low priority)
Missing Features:
- ❌ Dashboard/Home page
- ❌ Quick actions menu
- ❌ Recent activity widget
- ❌ Keyboard shortcuts
- ❌ Mobile navigation
- ❌ Context-sensitive help
- ❌ Onboarding tooltips
6. Internationalization (i18n) 🌍
Current State:
- ✅ Gettext integration
- ✅ German translations
- ✅ English translations
- ✅ Translation files for auth, errors, default
Open Issues:
- #146 - Translate "or" in the login screen (Low)
- #144 - Add language switch dropdown to login screen (Low)
Missing Features:
- ❌ Language switcher UI
- ❌ User-specific language preferences
- ❌ Date/time localization
- ❌ Number formatting (currency, decimals)
- ❌ Complete translation coverage
- ❌ RTL support (future)
7. Payment & Fees Management 💰
Current State:
- ✅ Basic "paid" boolean field on members
- ✅ Membership Fee Types Management - Full CRUD implementation
- ✅ Membership Fee Cycles - Individual billing cycles per member
- ✅ Membership Fee Settings - Global settings (include_joining_cycle, default_fee_type)
- ✅ Cycle Generation - Automatic cycle generation for members
- ✅ Payment Status Tracking - Status per cycle (unpaid, paid, suspended)
- ✅ Member Fee Assignment - Members can be assigned to fee types
- ✅ Cycle Regeneration - Regenerate cycles when fee type changes
- ✅ UI Components - Membership fee status in member list and detail views
Open Issues:
- #156 - Set up & document testing environment for vereinfacht.digital (L, Low priority)
- ✅ #226 - Payment/Membership Fee Mockup Pages (Preview) - Implemented
Implemented Pages:
/membership_fee_types- Membership Fee Types Management (fully functional)/membership_fee_settings- Global Membership Fee Settings (fully functional)/members/:id- Member detail view with membership fee cycles
Missing Features:
- ❌ Payment records/transactions (external payment tracking)
- ❌ Payment reminders
- ❌ Invoice generation
- ✅ Member–finance-contact sync with vereinfacht.digital API (see
docs/vereinfacht-api.md); ❌ transaction import / full API integration - ❌ SEPA direct debit support
- ❌ Payment reports
Related Milestones:
- Import transactions via vereinfacht API
8. Admin Panel & Configuration ⚙️
Current State:
- ✅ AshAdmin integration (basic)
- ✅ Global Settings Management -
/settingspage (singleton resource) - ✅ Club/Organization profile - Club name configuration
- ✅ Member Field Visibility Settings - Configure which fields show in overview
- ✅ CustomFieldValue type management UI - Full CRUD for custom fields
- ✅ Role Management UI - Full CRUD for roles (
/admin/roles) - ✅ Membership Fee Settings - Global fee settings management
Open Issues:
- #186 - Create Architecture docs in Repo (S, Low priority)
Implemented Features:
- ✅ SMTP configuration – Configure mail server via ENV (
SMTP_HOST,SMTP_PORT,SMTP_USERNAME,SMTP_PASSWORD,SMTP_PASSWORD_FILE,SMTP_SSL) and Admin Settings (UI), with ENV taking priority. Test email from Settings SMTP section. Production warning when SMTP is not configured. Seedocs/smtp-configuration-concept.md.
Missing Features:
- ❌ Email templates configuration
- ❌ System health dashboard
- ❌ Audit log viewer
- ❌ Backup/restore functionality
Related Milestones:
- As Admin I can configure settings globally
9. Communication & Notifications 📧
Current State:
- ✅ Swoosh mailer integration
- ✅ Email confirmation (via AshAuthentication)
- ✅ Password reset emails (via AshAuthentication)
- ✅ SMTP configuration via ENV and Admin Settings (see Admin Panel section)
- ⚠️ No member communication features
Missing Features:
- ❌ Email broadcast to members
- ❌ Email templates (customizable)
- ❌ Email to member groups/filters
10. Reporting & Analytics 📊
Current State:
- ✅ Statistics page (MVP) –
/statisticswith active/inactive member counts, joins/exits by year, cycle totals, open amount (2026-02-10). Backed byMv.Statistics(read-only Ash reads onMember+MembershipFeeCycle, no new resources); displayed inMvWeb.StatisticsLive. Permission: read_only, normal_user, admin (own_data denied).
MVP design decisions:
- Charts are HTML/CSS + SVG only — no Contex, no Chart.js (deliberate).
- Open amount = total unpaid only; no overdue vs. not-yet-due split in the MVP.
- Out of scope (deferred follow-ups): export (CSV/PDF), caching, month/quarter filters, "members per fee type" / "members per group" stats, overdue split, new tables/resources.
Missing Features:
- ❌ Extended member statistics dashboard
- ❌ Membership growth charts
- ❌ Payment reports
- ❌ Custom report builder
- ❌ Export to PDF/CSV/Excel
- ❌ Scheduled reports
- ❌ Data visualization
11. Data Import/Export 📥📤
Current State:
- ✅ Seed data script
- ✅ CSV Import Templates - German and English templates (#329, 2026-01-13)
- Template files in
priv/static/templates/member_import_de.csvandmember_import_en.csv - CSV specification documented in
docs/csv-member-import-v1.md
- Template files in
- ✅ CSV Import Implementation - Full CSV import feature (#335, #336, #338, 2026-01-27)
- Import/Export LiveView (
/import_export) - Member field import (email, first_name, last_name, etc.)
- Custom field value import (all types: string, integer, boolean, date, email)
- Real-time progress tracking
- Error and warning reporting with line numbers
- Configurable limits (max file size, max rows)
- Chunked processing (200 rows per chunk)
- Admin-only access
- Import/Export LiveView (
Closed Issues:
- ✅ #335 - CSV Import UI (closed 2026-01-27)
- ✅ #336 - Config for import limits (closed 2026-01-27)
- ✅ #338 - Custom field CSV import (closed 2026-01-27)
Missing Features:
- ❌ Excel import for members
- ❌ Import validation preview (before import)
- ❌ Bulk data export
- ❌ Backup export
- ❌ Data migration tools
12. Testing & Quality Assurance 🧪
Current State:
- ✅ ExUnit test suite
- ✅ Unit tests for resources
- ✅ Integration tests for email sync
- ✅ LiveView tests
- ✅ Component tests
- ✅ CI/CD pipeline (Drone)
Missing Features:
- ❌ E2E tests (browser automation)
- ❌ Performance testing
- ❌ Load testing
- ❌ Security penetration testing
- ❌ Accessibility testing automation
- ❌ Visual regression testing
- ❌ Test coverage reporting
13. Infrastructure & DevOps 🚀
Current State:
- ✅ Docker Compose for development
- ✅ Production Dockerfile
- ✅ Drone CI/CD pipeline
- ✅ Renovate for dependency updates
- ✅ Database seeds split into bootstrap (all envs) and dev-only seeds (20 members, groups; 2026-03-03)
- ⚠️ No staging environment
Open Issues:
- #186 - Create Architecture docs in Repo (S, Low priority)
Missing Features:
- ❌ Staging environment
- ❌ Automated deployment
- ❌ Database backup automation
- ❌ Monitoring and alerting
- ❌ Error tracking (Sentry, etc.)
- ❌ Log aggregation
- ❌ Health checks and uptime monitoring
Related Milestones:
- We have a staging environment
- We implement security measures
14. Security & Compliance 🔒
Current State:
- ✅ OIDC authentication
- ✅ Password hashing (bcrypt)
- ✅ CSRF protection
- ✅ SQL injection prevention (Ecto)
- ✅ Sobelow security scans
- ✅ Dependency auditing
Missing Features:
- ❌ Role-based access control (see #1)
- ❌ Audit logging
- ❌ GDPR compliance features (data export, deletion)
- ❌ Session management (timeout, concurrent sessions)
- ❌ Rate limiting
- ❌ IP whitelisting/blacklisting
- ❌ Security headers configuration
- ❌ Data retention policies
Related Milestones:
- We implement security measures
15. Accessibility & Usability ♿
Current State:
- ✅ Semantic HTML
- ✅ Basic ARIA labels
- ⚠️ Needs comprehensive audit
Open Issues:
- #188 - Check if searching just on typing is accessible (S, Low priority)
- #174 - Accessibility - aria-sort in tables (S, Low priority)
Missing Features:
- ❌ Comprehensive accessibility audit (WCAG 2.1 Level AA)
- ❌ Keyboard navigation improvements
- ❌ Screen reader optimization
- ❌ High contrast mode
- ❌ Font size adjustments
- ❌ Focus management
- ❌ Skip links
- ❌ Error announcements
Feature Area Summary
| Feature Area | Current Status | Priority | Complexity |
|---|---|---|---|
| Authentication & Authorization | 60% complete | High | Medium |
| Member Management | 85% complete | High | Low-Medium |
| Custom Fields | 50% complete | High | Medium |
| User Management | 60% complete | Medium | Low |
| Navigation & UX | 50% complete | Medium | Low |
| Internationalization | 70% complete | Low | Low |
| Payment & Fees | 5% complete | High | High |
| Admin Panel | 20% complete | Medium | Medium |
| Communication | 30% complete | Medium | Medium |
| Reporting | 0% complete | Medium | Medium-High |
| Import/Export | 10% complete | Low | Medium |
| Testing & QA | 60% complete | Medium | Low-Medium |
| Infrastructure | 70% complete | Medium | Medium |
| Security | 50% complete | High | Medium-High |
| Accessibility | 40% complete | Medium | Medium |
Open Milestones (From Issues)
- ✅ Ich kann einen neuen Kontakt anlegen (Closed)
- ✅ I can search through the list of members - fulltext (Closed) - #162 implemented (Fuzzy Search), #154 needs refinement
- 🔄 I can sort the list of members for specific fields (Open) - Related: #153
- 🔄 We have a intuitive navigation structure (Open)
- 🔄 We have different roles and permissions (Open) - Related: #191, #190, #151
- 🔄 As Admin I can configure settings globally (Open)
- ✅ Accounts & Logins (Partially closed) - #171 implemented (OIDC linking), #169/#168 still open
- 🔄 I can add custom fields (Open) - Related: #194, #157, #161
- 🔄 Import transactions via vereinfacht API (Open) - Related: #156
- 🔄 We have a staging environment (Open)
- 🔄 We implement security measures (Open)
Endpoints
For the real, current routes and their authorization, see lib/mv_web/router.ex and docs/page-permission-route-coverage.md (the per-permission-set route matrix). The Ash resource actions are defined on each resource module under lib/. An earlier speculative API catalog for not-yet-existing resources (Payment, Invoice, Report, Notification, AuditLog, Organization) was removed — those are tracked above as missing features per area, not as endpoint specs.
References:
- Open Issues: https://git.local-it.org/local-it/mitgliederverwaltung/issues
- Architecture: See
CODE_GUIDELINES.md - Database Schema: See
database-schema-readme.md