test: add page permission tests and ConnCase role tags

- ConnCase: add :read_only and :normal_user role tags for tests.
- Add CheckPagePermission plug tests (unit + integration for member, read_only,
  normal_user, admin). Update permission_sets_test (refute "/" for own_data).
- Profile navigation, global_settings, role_live, membership_fee_type: use
  users with role for "/" access; expect redirect for own_data on /settings
  and /admin/roles.

test/support/conn_case.ex

@@ -175,6 +175,18 @@ defmodule MvWeb.ConnCase do
           authenticated_conn = conn_with_password_user(conn, member_user)
           {authenticated_conn, member_user}
 
+        :read_only ->
+          # Vorstand/Buchhaltung: can read members, groups; cannot edit or access admin/settings
+          read_only_user = Mv.Fixtures.user_with_role_fixture("read_only")
+          authenticated_conn = conn_with_password_user(conn, read_only_user)
+          {authenticated_conn, read_only_user}
+
+        :normal_user ->
+          # Kassenwart: can read/update members, groups; cannot access users/settings/admin
+          normal_user = Mv.Fixtures.user_with_role_fixture("normal_user")
+          authenticated_conn = conn_with_password_user(conn, normal_user)
+          {authenticated_conn, normal_user}
+
         :unauthenticated ->
           # No authentication for unauthenticated tests
           {conn, nil}