test: add page permission tests and ConnCase role tags

- ConnCase: add :read_only and :normal_user role tags for tests.
- Add CheckPagePermission plug tests (unit + integration for member, read_only,
  normal_user, admin). Update permission_sets_test (refute "/" for own_data).
- Profile navigation, global_settings, role_live, membership_fee_type: use
  users with role for "/" access; expect redirect for own_data on /settings
  and /admin/roles.

test/mv_web/live/role_live_test.exs

@@ -441,18 +441,11 @@ defmodule MvWeb.RoleLiveTest do
     end
 
     test "only admin can access /admin/roles", %{conn: conn, actor: actor} do
-      {conn, _user} = create_non_admin_user(conn, actor)
+      {conn, user} = create_non_admin_user(conn, actor)
 
-      # Non-admin should be redirected or see error
-      # Note: Authorization is checked via can_access_page? which returns false
-      # The page might still mount but show no content or redirect
-      # For now, we just verify the page doesn't work as expected for non-admin
-      {:ok, _view, html} = live(conn, "/admin/roles")
-
-      # Non-admin should not see "New Role" button (can? returns false)
-      # But the button might still be in HTML, just hidden or disabled
-      # We verify that the page loads but admin features are restricted
-      assert html =~ "Listing Roles" || html =~ "Roles"
+      # Non-admin (no role or non-admin role) is redirected by CheckPagePermission plug
+      assert {:error, {:redirect, %{to: to}}} = live(conn, "/admin/roles")
+      assert to == "/users/#{user.id}"
     end
 
     test "admin can access /admin/roles", %{conn: conn, actor: actor} do