Enforce tenant member permissions

resources/js/admin/mobile/components/MobileShell.tsx

@@ -19,6 +19,7 @@ import { setTabHistory } from '../lib/tabHistory';
 import { loadPhotoQueue } from '../lib/photoModerationQueue';
 import { countQueuedPhotoActions } from '../lib/queueStatus';
 import { useAdminTheme } from '../theme';
+import { useAuth } from '../../auth/context';
 
 type MobileShellProps = {
   title?: string;
@@ -31,6 +32,7 @@ type MobileShellProps = {
 
 export function MobileShell({ title, subtitle, children, activeTab, onBack, headerActions }: MobileShellProps) {
   const { events, activeEvent, selectEvent } = useEventContext();
+  const { user } = useAuth();
   const { go } = useMobileNav(activeEvent?.slug, activeTab);
   const navigate = useNavigate();
   const location = useLocation();
@@ -137,7 +139,22 @@ export function MobileShell({ title, subtitle, children, activeTab, onBack, head
   const pageTitle = title ?? t('header.appName', 'Event Admin');
   const eventContext = !isCompactHeader && effectiveActive ? resolveEventDisplayName(effectiveActive) : null;
   const subtitleText = subtitle ?? eventContext ?? '';
-  const showQr = Boolean(effectiveActive?.slug);
+  const isMember = user?.role === 'member';
+  const memberPermissions = Array.isArray(effectiveActive?.member_permissions) ? effectiveActive?.member_permissions ?? [] : [];
+  const allowPermission = (permission: string) => {
+    if (!isMember) {
+      return true;
+    }
+    if (memberPermissions.includes('*') || memberPermissions.includes(permission)) {
+      return true;
+    }
+    if (permission.includes(':')) {
+      const [prefix] = permission.split(':');
+      return memberPermissions.includes(`${prefix}:*`);
+    }
+    return false;
+  };
+  const showQr = Boolean(effectiveActive?.slug) && allowPermission('join-tokens:manage');
   const headerBackButton = onBack ? (
     <HeaderActionButton onPress={onBack} ariaLabel={t('actions.back', 'Back')}>
       <XStack alignItems="center" space="$1.5">