Enforce tenant member permissions

2026-01-16 13:33:36 +01:00
parent df60be826d
commit 7aa0a4c847
22 changed files with 592 additions and 112 deletions
--- a/resources/js/admin/mobile/tests/DashboardPage.test.tsx
+++ b/resources/js/admin/mobile/tests/DashboardPage.test.tsx
@@ -14,6 +14,7 @@ const fixtures = vi.hoisted(() => ({
    photo_count: 12,
    active_invites_count: 3,
    total_invites_count: 5,
+    member_permissions: ['photos:moderate', 'tasks:manage', 'join-tokens:manage'],
  },
  activePackage: {
    id: 1,
@@ -36,6 +37,10 @@ const fixtures = vi.hoisted(() => ({
 }));

 const navigateMock = vi.fn();
+const authState = {
+  status: 'authenticated',
+  user: { role: 'tenant_admin' },
+};

 vi.mock('react-router-dom', () => ({
  useNavigate: () => navigateMock,
@@ -103,7 +108,7 @@ vi.mock('../../context/EventContext', () => ({
 }));

 vi.mock('../../auth/context', () => ({
-  useAuth: () => ({ status: 'unauthenticated' }),
+  useAuth: () => authState,
 }));

 vi.mock('../hooks/useInstallPrompt', () => ({
@@ -232,4 +237,16 @@ describe('MobileDashboardPage', () => {
    expect(screen.getByText('2 of 5 events used')).toBeInTheDocument();
    expect(screen.getByText('3 remaining')).toBeInTheDocument();
  });
+
+  it('hides admin-only shortcuts for members', () => {
+    authState.user = { role: 'member' };
+
+    render(<MobileDashboardPage />);
+
+    expect(screen.getByText('Moderation & Live Show')).toBeInTheDocument();
+    expect(screen.queryByText('Event settings')).not.toBeInTheDocument();
+    expect(screen.queryByText('Live Show settings')).not.toBeInTheDocument();
+
+    authState.user = { role: 'tenant_admin' };
+  });
 });
--- a/resources/js/admin/mobile/tests/EventsPage.test.tsx
+++ b/resources/js/admin/mobile/tests/EventsPage.test.tsx
@@ -3,6 +3,9 @@ import { describe, expect, it, vi } from 'vitest';
 import { render, screen } from '@testing-library/react';

 const navigateMock = vi.fn();
+const authState = {
+  user: { role: 'tenant_admin' },
+};

 vi.mock('react-router-dom', () => ({
  useNavigate: () => navigateMock,
@@ -38,6 +41,10 @@ vi.mock('../../auth/tokens', () => ({
  isAuthError: () => false,
 }));

+vi.mock('../../auth/context', () => ({
+  useAuth: () => authState,
+}));
+
 vi.mock('../../lib/apiError', () => ({
  getApiErrorMessage: () => 'error',
 }));
@@ -133,4 +140,15 @@ describe('MobileEventsPage', () => {
    expect(screen.getByText('Status')).toBeInTheDocument();
    expect(screen.getByText('Demo Event')).toBeInTheDocument();
  });
+
+  it('hides create actions for members', async () => {
+    authState.user = { role: 'member' };
+
+    render(<MobileEventsPage />);
+
+    expect(await screen.findByText('Demo Event')).toBeInTheDocument();
+    expect(screen.queryByText('Create New Event')).not.toBeInTheDocument();
+
+    authState.user = { role: 'tenant_admin' };
+  });
 });