Enforce tenant member permissions

resources/js/admin/mobile/__tests__/DashboardPage.test.tsx

@@ -14,6 +14,7 @@ const fixtures = vi.hoisted(() => ({
     photo_count: 12,
     active_invites_count: 3,
     total_invites_count: 5,
+    member_permissions: ['photos:moderate', 'tasks:manage', 'join-tokens:manage'],
   },
   activePackage: {
     id: 1,
@@ -36,6 +37,10 @@ const fixtures = vi.hoisted(() => ({
 }));
 
 const navigateMock = vi.fn();
+const authState = {
+  status: 'authenticated',
+  user: { role: 'tenant_admin' },
+};
 
 vi.mock('react-router-dom', () => ({
   useNavigate: () => navigateMock,
@@ -103,7 +108,7 @@ vi.mock('../../context/EventContext', () => ({
 }));
 
 vi.mock('../../auth/context', () => ({
-  useAuth: () => ({ status: 'unauthenticated' }),
+  useAuth: () => authState,
 }));
 
 vi.mock('../hooks/useInstallPrompt', () => ({
@@ -232,4 +237,16 @@ describe('MobileDashboardPage', () => {
     expect(screen.getByText('2 of 5 events used')).toBeInTheDocument();
     expect(screen.getByText('3 remaining')).toBeInTheDocument();
   });
+
+  it('hides admin-only shortcuts for members', () => {
+    authState.user = { role: 'member' };
+
+    render(<MobileDashboardPage />);
+
+    expect(screen.getByText('Moderation & Live Show')).toBeInTheDocument();
+    expect(screen.queryByText('Event settings')).not.toBeInTheDocument();
+    expect(screen.queryByText('Live Show settings')).not.toBeInTheDocument();
+
+    authState.user = { role: 'tenant_admin' };
+  });
 });