Gate sidebar menu items by can_access_page?

Members, Fee Types and Administration subitems only shown when user has page permission. Add admin_menu_visible? helper. Sidebar test uses admin user so menu items render.
2026-02-03 16:35:35 +01:00 · 2026-02-03 16:35:35 +01:00 · bda1edebcb
commit bda1edebcb
parent 3d84b1f030
2 changed files with 51 additions and 23 deletions
--- a/lib/mv_web/components/layouts/sidebar.ex
+++ b/lib/mv_web/components/layouts/sidebar.ex
@ -70,33 +70,56 @@ defmodule MvWeb.Layouts.Sidebar do
  defp sidebar_menu(assigns) do
    ~H"""
    <ul class="menu flex-1 w-full p-2" role="menubar">
+      <%= if can_access_page?(@current_user, "/members") do %>
        <.menu_item
          href={~p"/members"}
          icon="hero-users"
          label={gettext("Members")}
        />
+      <% end %>

+      <%= if can_access_page?(@current_user, "/membership_fee_types") do %>
        <.menu_item
          href={~p"/membership_fee_types"}
          icon="hero-currency-euro"
          label={gettext("Fee Types")}
        />
+      <% end %>

-    <!-- Nested Admin Menu -->
+      <%= if admin_menu_visible?(@current_user) do %>
        <.menu_group icon="hero-cog-6-tooth" label={gettext("Administration")}>
+          <%= if can_access_page?(@current_user, "/users") do %>
            <.menu_subitem href={~p"/users"} label={gettext("Users")} />
+          <% end %>
+          <%= if can_access_page?(@current_user, "/groups") do %>
            <.menu_subitem href={~p"/groups"} label={gettext("Groups")} />
+          <% end %>
+          <%= if can_access_page?(@current_user, "/admin/roles") do %>
            <.menu_subitem href={~p"/admin/roles"} label={gettext("Roles")} />
+          <% end %>
+          <%= if can_access_page?(@current_user, "/membership_fee_settings") do %>
            <.menu_subitem
              href={~p"/membership_fee_settings"}
              label={gettext("Fee Settings")}
            />
+          <% end %>
+          <%= if can_access_page?(@current_user, "/settings") do %>
            <.menu_subitem href={~p"/settings"} label={gettext("Settings")} />
+          <% end %>
        </.menu_group>
+      <% end %>
    </ul>
    """
  end

+  defp admin_menu_visible?(user) do
+    Enum.any?(admin_page_paths(), &can_access_page?(user, &1))
+  end
+
+  defp admin_page_paths do
+    ["/users", "/groups", "/admin/roles", "/membership_fee_settings", "/settings"]
+  end
+
  attr :href, :string, required: true, doc: "Navigation path"
  attr :icon, :string, required: true, doc: "Heroicon name"
  attr :label, :string, required: true, doc: "Menu item label"
--- a/test/mv_web/components/layouts/sidebar_test.exs
+++ b/test/mv_web/components/layouts/sidebar_test.exs
@ -22,9 +22,14 @@ defmodule MvWeb.Layouts.SidebarTest do
  # =============================================================================

  # Returns assigns for an authenticated user with all required attributes.
+  # User has admin role so can_access_page? returns true for all sidebar links.
  defp authenticated_assigns(mobile \\ false) do
    %{
-      current_user: %{id: "user-123", email: "test@example.com"},
+      current_user: %{
+        id: "user-123",
+        email: "test@example.com",
+        role: %{permission_set_name: "admin"}
+      },
      club_name: "Test Club",
      mobile: mobile
    }