From 59d656a07c022466a9fbd9f0eb349e4152207431 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Thu, 8 Jan 2026 14:25:29 +0100
Subject: [PATCH] fix: add authorization check for Roles link in navbar

Only show Roles link in Settings dropdown for users with admin
permissions, preventing unauthorized access attempts.
---
 lib/mv_web/components/layouts/navbar.ex | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/mv_web/components/layouts/navbar.ex b/lib/mv_web/components/layouts/navbar.ex
index c7f8d58..692f949 100644
--- a/lib/mv_web/components/layouts/navbar.ex
+++ b/lib/mv_web/components/layouts/navbar.ex
@@ -7,6 +7,7 @@ defmodule MvWeb.Layouts.Navbar do
   use MvWeb, :verified_routes
 
   alias Mv.Membership
+  import MvWeb.Authorization
 
   attr :current_user, :map,
     required: true,
@@ -33,9 +34,11 @@ defmodule MvWeb.Layouts.Navbar do
                 <li>
                   <.link navigate="/settings">{gettext("Global Settings")}</.link>
                 </li>
-                <li>
-                  <.link navigate="/admin/roles">{gettext("Roles")}</.link>
-                </li>
+                <%= if can_access_page?(@current_user, "/admin/roles") do %>
+                  <li>
+                    <.link navigate="/admin/roles">{gettext("Roles")}</.link>
+                  </li>
+                <% end %>
               </ul>
             </details>
           </li>