From f30ef4c145887b4e7b587b8c91d7d93acf941f7b Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 3 Feb 2026 16:35:29 +0100
Subject: [PATCH] Apply UI authorization to Member LiveViews (Index and Show)

Gate New Member button, Edit and Delete links with can?/3.
Edit button on Member Show visible only when user can update the member.
---
 lib/mv_web/live/member_live/index.html.heex | 26 +++++++++++++--------
 lib/mv_web/live/member_live/show.ex         |  8 ++++---
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/lib/mv_web/live/member_live/index.html.heex b/lib/mv_web/live/member_live/index.html.heex
index 394db2c..c44f3a3 100644
--- a/lib/mv_web/live/member_live/index.html.heex
+++ b/lib/mv_web/live/member_live/index.html.heex
@@ -23,9 +23,11 @@
         <.icon name="hero-envelope" />
         {gettext("Open in email program")}
       </.button>
-      <.button variant="primary" navigate={~p"/members/new"}>
-        <.icon name="hero-plus" /> {gettext("New Member")}
-      </.button>
+      <%= if can?(@current_user, :create, Mv.Membership.Member) do %>
+        <.button variant="primary" navigate={~p"/members/new"}>
+          <.icon name="hero-plus" /> {gettext("New Member")}
+        </.button>
+      <% end %>
     </:actions>
   </.header>
 
@@ -297,16 +299,20 @@
         <.link navigate={~p"/members/#{member}"}>{gettext("Show")}</.link>
       </div>
 
-      <.link navigate={~p"/members/#{member}/edit"}>{gettext("Edit")}</.link>
+      <%= if can?(@current_user, :update, member) do %>
+        <.link navigate={~p"/members/#{member}/edit"}>{gettext("Edit")}</.link>
+      <% end %>
     </:action>
 
     <:action :let={member}>
-      <.link
-        phx-click={JS.push("delete", value: %{id: member.id}) |> hide("#row-#{member.id}")}
-        data-confirm={gettext("Are you sure?")}
-      >
-        {gettext("Delete")}
-      </.link>
+      <%= if can?(@current_user, :destroy, member) do %>
+        <.link
+          phx-click={JS.push("delete", value: %{id: member.id}) |> hide("#row-#{member.id}")}
+          data-confirm={gettext("Are you sure?")}
+        >
+          {gettext("Delete")}
+        </.link>
+      <% end %>
     </:action>
   </.table>
 </Layouts.app>
diff --git a/lib/mv_web/live/member_live/show.ex b/lib/mv_web/live/member_live/show.ex
index d484672..9ac1fc8 100644
--- a/lib/mv_web/live/member_live/show.ex
+++ b/lib/mv_web/live/member_live/show.ex
@@ -39,9 +39,11 @@ defmodule MvWeb.MemberLive.Show do
           {MvWeb.Helpers.MemberHelpers.display_name(@member)}
         </h1>
 
-        <.button variant="primary" navigate={~p"/members/#{@member}/edit?return_to=show"}>
-          {gettext("Edit Member")}
-        </.button>
+        <%= if can?(@current_user, :update, @member) do %>
+          <.button variant="primary" navigate={~p"/members/#{@member}/edit?return_to=show"}>
+            {gettext("Edit Member")}
+          </.button>
+        <% end %>
       </div>
 
       <%!-- Tab Navigation --%>