From cc9e530d8049505b26724704db5350e44ea1cb01 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 3 Feb 2026 16:35:33 +0100
Subject: [PATCH] Add User LiveView authorization tests

Covers admin, read_only, member, normal_user for Index and Show.
Asserts New User / Edit / Delete visibility and redirect for non-admin.
---
 .../live/user_live_authorization_test.exs     | 84 +++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 test/mv_web/live/user_live_authorization_test.exs

diff --git a/test/mv_web/live/user_live_authorization_test.exs b/test/mv_web/live/user_live_authorization_test.exs
new file mode 100644
index 0000000..9c35d87
--- /dev/null
+++ b/test/mv_web/live/user_live_authorization_test.exs
@@ -0,0 +1,84 @@
+defmodule MvWeb.UserLiveAuthorizationTest do
+  @moduledoc """
+  Tests for UI authorization on User LiveViews (Index and Show).
+  """
+  use MvWeb.ConnCase, async: false
+
+  import Phoenix.LiveViewTest
+
+  alias Mv.Fixtures
+
+  @new_user_text "New User"
+  @edit_user_text "Edit User"
+
+  describe "User Index - Admin" do
+    @tag role: :admin
+    test "sees New User, Edit and Delete buttons", %{conn: conn} do
+      user = Fixtures.user_with_role_fixture("admin")
+
+      {:ok, view, html} = live(conn, "/users")
+
+      assert html =~ @new_user_text
+      assert has_element?(view, "a[href=\"/users/#{user.id}/edit\"]")
+      assert has_element?(view, "a[phx-click*='delete']")
+    end
+  end
+
+  describe "User Index - Non-Admin is redirected" do
+    @tag role: :read_only
+    test "read_only is redirected when accessing /users", %{conn: conn, current_user: user} do
+      assert {:error, {:redirect, %{to: to}}} = live(conn, "/users")
+      assert to == "/users/#{user.id}"
+    end
+
+    @tag role: :member
+    test "member is redirected when accessing /users", %{conn: conn, current_user: user} do
+      assert {:error, {:redirect, %{to: to}}} = live(conn, "/users")
+      assert to == "/users/#{user.id}"
+    end
+
+    @tag role: :normal_user
+    test "normal_user is redirected when accessing /users", %{conn: conn, current_user: user} do
+      assert {:error, {:redirect, %{to: to}}} = live(conn, "/users")
+      assert to == "/users/#{user.id}"
+    end
+  end
+
+  describe "User Show - own profile" do
+    @tag role: :member
+    test "member sees Edit button on own profile", %{conn: conn, current_user: user} do
+      {:ok, _view, html} = live(conn, "/users/#{user.id}")
+
+      assert html =~ @edit_user_text
+    end
+
+    @tag role: :read_only
+    test "read_only sees Edit button on own profile", %{conn: conn, current_user: user} do
+      {:ok, _view, html} = live(conn, "/users/#{user.id}")
+
+      assert html =~ @edit_user_text
+    end
+
+    @tag role: :admin
+    test "admin sees Edit button on user show", %{conn: conn} do
+      user = Fixtures.user_with_role_fixture("read_only")
+
+      {:ok, _view, html} = live(conn, "/users/#{user.id}")
+
+      assert html =~ @edit_user_text
+    end
+  end
+
+  describe "User Show - other user (non-admin redirected)" do
+    @tag role: :member
+    test "member is redirected when accessing other user's profile", %{
+      conn: conn,
+      current_user: current_user
+    } do
+      other_user = Fixtures.user_with_role_fixture("admin")
+
+      assert {:error, {:redirect, %{to: to}}} = live(conn, "/users/#{other_user.id}")
+      assert to == "/users/#{current_user.id}"
+    end
+  end
+end