test: add page permission tests and ConnCase role tags

- ConnCase: add :read_only and :normal_user role tags for tests.
- Add CheckPagePermission plug tests (unit + integration for member, read_only,
  normal_user, admin). Update permission_sets_test (refute "/" for own_data).
- Profile navigation, global_settings, role_live, membership_fee_type: use
  users with role for "/" access; expect redirect for own_data on /settings
  and /admin/roles.

test/mv_web/live/profile_navigation_test.exs

@@ -9,8 +9,8 @@ defmodule MvWeb.ProfileNavigationTest do
 
   describe "profile navigation" do
     test "clicking profile button redirects to current user profile", %{conn: conn} do
-      # Setup: Create and login a user
-      user = create_test_user(%{email: "test@example.com"})
+      # User needs a role with page permission for "/" (e.g. admin)
+      user = Mv.Fixtures.user_with_role_fixture("admin")
       conn = conn_with_password_user(conn, user)
       {:ok, view, _html} = live(conn, "/")
 
@@ -21,9 +21,18 @@ defmodule MvWeb.ProfileNavigationTest do
       assert_redirected(view, "/users/#{user.id}")
     end
 
-    test "profile navigation shows correct user data", %{conn: conn} do
-      # Setup: Create and login a user
+    test "profile navigation shows correct user data", %{conn: conn, actor: actor} do
+      # User with password (from create_test_user) and admin role so they can access "/"
       user = create_test_user(%{email: "test@example.com"})
+      admin_role = Mv.Fixtures.role_fixture("admin")
+
+      {:ok, user} =
+        user
+        |> Ash.Changeset.for_update(:update, %{})
+        |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
+        |> Ash.update(actor: actor)
+
+      user = Ash.load!(user, :role, domain: Mv.Accounts, actor: actor)
       conn = conn_with_password_user(conn, user)
 
       # Navigate to profile
@@ -40,8 +49,8 @@ defmodule MvWeb.ProfileNavigationTest do
 
   describe "sidebar" do
     test "renders profile button with correct attributes", %{conn: conn} do
-      # Setup: Create and login a user
-      user = create_test_user(%{email: "test@example.com"})
+      # User needs a role with page permission for "/"
+      user = Mv.Fixtures.user_with_role_fixture("admin")
       conn = conn_with_password_user(conn, user)
       {:ok, _view, html} = live(conn, "/")
 
@@ -85,16 +94,27 @@ defmodule MvWeb.ProfileNavigationTest do
         })
         |> Ash.create!(domain: Mv.Accounts, actor: actor)
 
+      # Assign role so user can access "/" (page permission)
+      admin_role = Mv.Fixtures.role_fixture("admin")
+
+      {:ok, user_with_role} =
+        user
+        |> Ash.Changeset.for_update(:update, %{})
+        |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
+        |> Ash.update(actor: actor)
+
+      user_with_role = Ash.load!(user_with_role, :role, domain: Mv.Accounts, actor: actor)
+
       # Login user via OIDC
-      conn = sign_in_user_via_oidc(conn, user)
+      conn = sign_in_user_via_oidc(conn, user_with_role)
 
       # Navigate to home and click profile
       {:ok, view, _html} = live(conn, "/")
       view |> element("a", "Profil") |> render_click()
 
       # Verify we're on the correct profile page with OIDC specific information
-      {:ok, _profile_view, html} = live(conn, "/users/#{user.id}")
-      assert html =~ to_string(user.email)
+      {:ok, _profile_view, html} = live(conn, "/users/#{user_with_role.id}")
+      assert html =~ to_string(user_with_role.email)
       # Password auth should be disabled for OIDC users
       assert html =~ "Not enabled"
     end
@@ -103,14 +123,10 @@ defmodule MvWeb.ProfileNavigationTest do
       conn: conn,
       actor: actor
     } do
-      # Create password user
-      password_user =
-        create_test_user(%{
-          email: "password2@example.com",
-          password: "test_password123"
-        })
+      # Users need a role with page permission for "/"
+      password_user = Mv.Fixtures.user_with_role_fixture("admin")
 
-      # Create OIDC user
+      # Create OIDC user and assign admin role
       user_info = %{
         "sub" => "oidc_789",
         "preferred_username" => "oidc@example.com"
@@ -129,6 +145,17 @@ defmodule MvWeb.ProfileNavigationTest do
         })
         |> Ash.create!(domain: Mv.Accounts, actor: actor)
 
+      admin_role = Mv.Fixtures.role_fixture("admin")
+
+      {:ok, oidc_user_with_role} =
+        oidc_user
+        |> Ash.Changeset.for_update(:update, %{})
+        |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
+        |> Ash.update(actor: actor)
+
+      oidc_user_with_role =
+        Ash.load!(oidc_user_with_role, :role, domain: Mv.Accounts, actor: actor)
+
       # Test with password user
       conn_password = conn_with_password_user(conn, password_user)
       {:ok, view_password, _html} = live(conn_password, "/")
@@ -136,16 +163,17 @@ defmodule MvWeb.ProfileNavigationTest do
       assert_redirected(view_password, "/users/#{password_user.id}")
 
       # Test with OIDC user
-      conn_oidc = sign_in_user_via_oidc(conn, oidc_user)
+      conn_oidc = sign_in_user_via_oidc(conn, oidc_user_with_role)
       {:ok, view_oidc, _html} = live(conn_oidc, "/")
       view_oidc |> element("a", "Profil") |> render_click()
-      assert_redirected(view_oidc, "/users/#{oidc_user.id}")
+      assert_redirected(view_oidc, "/users/#{oidc_user_with_role.id}")
     end
   end
 
   describe "authenticated views" do
+    # User must have a role with page permission to access /members, /users, etc.
     setup %{conn: conn} do
-      user = create_test_user(%{email: "test@example.com"})
+      user = Mv.Fixtures.user_with_role_fixture("admin")
       conn = conn_with_password_user(conn, user)
       {:ok, conn: conn, user: user}
     end