Secure regenerate_cycles: require can?(:create, MembershipFeeCycle) in handler

- Handler returns flash error when non-admin triggers event (e.g. DevTools).
- Test: read_only cannot create MembershipFeeCycle so handler rejects.

test/mv_web/member_live/show_membership_fees_test.exs

@@ -320,6 +320,19 @@ defmodule MvWeb.MemberLive.ShowMembershipFeesTest do
     end
   end
 
+  describe "read_only cannot trigger regenerate_cycles (handler enforces can?)" do
+    @tag role: :read_only
+    test "read_only cannot create MembershipFeeCycle so regenerate_cycles handler would show flash error",
+         %{current_user: read_only_user} do
+      # The regenerate_cycles handler checks can?(actor, :create, MembershipFeeCycle) before
+      # calling the generator. If a read_only user triggered the event (e.g. via DevTools),
+      # the handler returns flash error and no new cycles are created.
+      # This test verifies the condition the handler uses.
+      refute MvWeb.Authorization.can?(read_only_user, :create, MembershipFeeCycle),
+             "read_only must not be allowed to create MembershipFeeCycle so handler rejects regenerate_cycles"
+    end
+  end
+
   describe "confirm_delete_all_cycles handler (policy enforced)" do
     @tag role: :admin
     test "admin can delete all cycles via UI and cycles are removed", %{conn: conn} do