From d21ee8884929ef578f1ca94a83977726889fa970 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Thu, 12 Feb 2026 19:13:46 +0100
Subject: [PATCH] StatisticsLiveTest: explicit auth (read_only) and redirect
 test for own_data

---
 test/mv_web/live/statistics_live_test.exs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/test/mv_web/live/statistics_live_test.exs b/test/mv_web/live/statistics_live_test.exs
index 3075c24..ed6128f 100644
--- a/test/mv_web/live/statistics_live_test.exs
+++ b/test/mv_web/live/statistics_live_test.exs
@@ -1,6 +1,9 @@
 defmodule MvWeb.StatisticsLiveTest do
   @moduledoc """
   Tests for the Statistics LiveView at /statistics.
+
+  Uses explicit auth: conn is authenticated with a role that has access to
+  the statistics page (read_only by default; override with @tag :role).
   """
   use MvWeb.ConnCase, async: true
 
@@ -9,6 +12,7 @@ defmodule MvWeb.StatisticsLiveTest do
   alias Mv.MembershipFees.MembershipFeeType
 
   describe "statistics page" do
+    @describetag role: :read_only
     test "renders statistics page with title and key labels for authenticated user with access",
          %{
            conn: conn
@@ -62,4 +66,13 @@ defmodule MvWeb.StatisticsLiveTest do
       assert html =~ "Contributions by year"
     end
   end
+
+  describe "statistics page with own_data role" do
+    @describetag role: :member
+    test "redirects when user has only own_data (no access to statistics page)", %{conn: conn} do
+      # member role uses own_data permission set; /statistics is not in own_data pages
+      conn = get(conn, ~p"/statistics")
+      assert redirected_to(conn) != ~p"/statistics"
+    end
+  end
 end