Member show & MembershipFees: permissions, delete all, regenerate, errors

- Show: handle_info :member_updated and :put_flash; Linked User only when can_access_page? /users
- MembershipFeesComponent: can_create_cycle/can_destroy_cycle/can_update_cycle; buttons gated
- Delete all cycles via Ash.destroy (policy enforced); format_error Forbidden
- Regenerate cycles for normal_user and admin (no admin-only check)
- Member form: format_error tuple for membership_fee_type_id; Select a membership fee type (no None)
- show_membership_fees_test: read_only UI and policy tests

test/mv_web/member_live/show_membership_fees_test.exs

@@ -274,4 +274,65 @@ defmodule MvWeb.MemberLive.ShowMembershipFeesTest do
       assert html =~ member.first_name
     end
   end
+
+  describe "read_only user (Vorstand/Buchhaltung) - no cycle action buttons" do
+    @tag role: :read_only
+    test "read_only does not see Regenerate Cycles, Delete All Cycles, or Create Cycle buttons",
+         %{
+           conn: conn
+         } do
+      fee_type = create_fee_type(%{interval: :yearly})
+      member = create_member(%{membership_fee_type_id: fee_type.id})
+      _cycle = create_cycle(member, fee_type, %{cycle_start: ~D[2023-01-01], status: :unpaid})
+
+      {:ok, view, _html} = live(conn, "/members/#{member.id}")
+
+      view
+      |> element("button[phx-click='switch_tab'][phx-value-tab='membership_fees']")
+      |> render_click()
+
+      refute has_element?(view, "button[phx-click='regenerate_cycles']")
+      refute has_element?(view, "button[phx-click='delete_all_cycles']")
+      refute has_element?(view, "button[phx-click='open_create_cycle_modal']")
+    end
+
+    @tag role: :read_only
+    test "read_only does not see Paid, Unpaid, Suspended, or Delete buttons in cycles table", %{
+      conn: conn
+    } do
+      fee_type = create_fee_type(%{interval: :yearly})
+      member = create_member(%{membership_fee_type_id: fee_type.id})
+      cycle = create_cycle(member, fee_type, %{cycle_start: ~D[2023-01-01], status: :unpaid})
+
+      {:ok, view, _html} = live(conn, "/members/#{member.id}")
+
+      view
+      |> element("button[phx-click='switch_tab'][phx-value-tab='membership_fees']")
+      |> render_click()
+
+      # Row action buttons must not be present for read_only
+      refute has_element?(view, "button[phx-click='mark_cycle_status']")
+      refute has_element?(view, "button[phx-click='delete_cycle']")
+      # Sanity: cycle row is present (read is allowed)
+      assert has_element?(view, "tr[id='cycle-#{cycle.id}']")
+    end
+  end
+
+  describe "read_only cannot delete all cycles (policy enforced via Ash.destroy)" do
+    @tag role: :read_only
+    test "confirm_delete_all_cycles returns error for read_only user", %{
+      current_user: read_only_user
+    } do
+      # Backend policy test: read_only cannot destroy any cycle.
+      # The UI hides the Delete All button for read_only; this test ensures
+      # that if the handler were triggered (e.g. via dev tools), the server
+      # would enforce policy and return Forbidden.
+      fee_type = create_fee_type(%{interval: :yearly})
+      member = create_member(%{membership_fee_type_id: fee_type.id})
+      cycle = create_cycle(member, fee_type, %{cycle_start: ~D[2023-01-01], status: :unpaid})
+
+      assert {:error, %Ash.Error.Forbidden{}} =
+               Ash.destroy(cycle, domain: Mv.MembershipFees, actor: read_only_user)
+    end
+  end
 end