Added permission checks

jzongker · jzongker · commit 768d9909b254 · 2026-04-07T11:13:06.000-05:00
diff --git a/src/calendars/CalendarPage.tsx b/src/calendars/CalendarPage.tsx
@@ -15,8 +15,9 @@ import {
   TableHead
 } from "@mui/material";
 import { Delete as DeleteIcon, CalendarMonth as CalendarIcon, Groups as GroupsIcon } from "@mui/icons-material";
-import { ApiHelper, UserHelper, Loading, PageHeader, Locale } from "@churchapps/apphelper";
+import { ApiHelper, UserHelper, Loading, PageHeader, Locale, Permissions } from "@churchapps/apphelper";
 import { type CuratedCalendarInterface, type GroupInterface, type CuratedEventInterface } from "@churchapps/helpers";
+import { PermissionDenied } from "../components";
 import { CuratedCalendar } from "./components/CuratedCalendar";
 
 export const CalendarPage = () => {
@@ -65,22 +66,24 @@ export const CalendarPage = () => {
           {g.name}
         </Typography>
       </TableCell>
-      <TableCell align="right">
-        <Tooltip title={Locale.label("calendars.calendarPage.removeGroup")} arrow>
-          <IconButton
-            size="small"
-            onClick={() => handleGroupDelete(g.id)}
-            data-testid={`remove-group-${g.id}-button`}
-            aria-label={Locale.label("calendars.calendarPage.removeGroupAria", g.name)}
-            sx={{
-              color: "error.main",
-              "&:hover": { backgroundColor: "error.light" }
-            }}
-          >
-            <DeleteIcon fontSize="small" />
-          </IconButton>
-        </Tooltip>
-      </TableCell>
+      {UserHelper.checkAccess(Permissions.contentApi.content.edit) && (
+        <TableCell align="right">
+          <Tooltip title={Locale.label("calendars.calendarPage.removeGroup")} arrow>
+            <IconButton
+              size="small"
+              onClick={() => handleGroupDelete(g.id)}
+              data-testid={`remove-group-${g.id}-button`}
+              aria-label={Locale.label("calendars.calendarPage.removeGroupAria", g.name)}
+              sx={{
+                color: "error.main",
+                "&:hover": { backgroundColor: "error.light" }
+              }}
+            >
+              <DeleteIcon fontSize="small" />
+            </IconButton>
+          </Tooltip>
+        </TableCell>
+      )}
     </TableRow>
   ));
 
@@ -89,6 +92,7 @@ export const CalendarPage = () => {
   }, [curatedCalendarId]);
 
   if (!curatedCalendarId) return null;
+  if (!UserHelper.checkAccess(Permissions.contentApi.content.edit)) return <PermissionDenied permissions={[Permissions.contentApi.content.edit]} />;
 
   return (
     <>
diff --git a/src/calendars/CalendarsPage.tsx b/src/calendars/CalendarsPage.tsx
@@ -29,6 +29,7 @@ import {
   Description as DescriptionIcon
 } from "@mui/icons-material";
 import { CalendarEdit } from "./components";
+import { PermissionDenied } from "../components";
 
 export const CalendarsPage = () => {
   const [calendars, setCalendars] = useState<CuratedCalendarInterface[]>([]);
@@ -152,6 +153,8 @@ export const CalendarsPage = () => {
     loadData();
   }, []);
 
+  if (!UserHelper.checkAccess(Permissions.contentApi.content.edit)) return <PermissionDenied permissions={[Permissions.contentApi.content.edit]} />;
+
   return (
     <>
       <PageHeader
diff --git a/src/components/PermissionDenied.tsx b/src/components/PermissionDenied.tsx
@@ -0,0 +1,25 @@
+import React from "react";
+import { Alert, Box } from "@mui/material";
+import { UserHelper } from "@churchapps/apphelper";
+import type { IApiPermission } from "@churchapps/helpers";
+
+interface Props {
+  permissions: IApiPermission[];
+  message?: string;
+}
+
+export const hasPermission = (...perms: IApiPermission[]): boolean => perms.every(p => UserHelper.checkAccess(p));
+
+export const PermissionDenied: React.FC<Props> = ({ permissions, message }) => (
+  <Box sx={{ p: 3 }}>
+    <Alert severity="warning">
+      {message || "You do not have the required permission(s) to access this feature:"}
+      <ul style={{ margin: "8px 0 0 0", paddingLeft: 20 }}>
+        {permissions.map((p, i) => (
+          <li key={i}>{p.api} - {p.contentType} - {p.action}</li>
+        ))}
+      </ul>
+      Please contact your church administrator to request access.
+    </Alert>
+  </Box>
+);
diff --git a/src/components/index.ts b/src/components/index.ts
@@ -13,6 +13,7 @@ export { Question } from "./Question";
 export { Search } from "./Search";
 export { StateOptions } from "./StateOptions";
 export { Wrapper } from "./Wrapper";
+export { PermissionDenied, hasPermission } from "./PermissionDenied";
 export { DocChatWidget } from "./docChat";
 
 // Person Management Components (moved from AppHelper)
diff --git a/src/dashboard/components/QuickSetupModal.tsx b/src/dashboard/components/QuickSetupModal.tsx
@@ -1,6 +1,6 @@
 import React from "react";
 import { Dialog, DialogTitle, DialogContent, DialogActions, Button, TextField, Stack, Typography, Alert } from "@mui/material";
-import { ApiHelper } from "@churchapps/apphelper";
+import { ApiHelper, UserHelper, Permissions } from "@churchapps/apphelper";
 import { type GroupInterface, type GroupMemberInterface } from "@churchapps/helpers";
 import UserContext from "../../UserContext";
 
@@ -78,6 +78,10 @@ export const QuickSetupModal: React.FC<Props> = ({ wizardType, open, onClose, on
   };
 
   const handleFreeshowSetup = async () => {
+    if (!UserHelper.checkAccess(Permissions.membershipApi.groups.edit)) {
+      setError("You don't have permission to perform this action. Required: MembershipApi - Groups - Edit");
+      return;
+    }
     if (!ministryName.trim() || !teamName.trim()) {
       setError("Please enter both a ministry name and a team name.");
       return;
@@ -108,6 +112,10 @@ export const QuickSetupModal: React.FC<Props> = ({ wizardType, open, onClose, on
   };
 
   const handleFreeplaySetup = async () => {
+    if (!UserHelper.checkAccess(Permissions.membershipApi.groups.edit) || !UserHelper.checkAccess(Permissions.membershipApi.plans.edit)) {
+      setError("You don't have permission to perform this action. Required: MembershipApi - Groups - Edit, MembershipApi - Plans - Edit");
+      return;
+    }
     if (!ministryName.trim() || !classroomName.trim()) {
       setError("Please enter both a ministry name and a classroom name.");
       return;
@@ -132,6 +140,10 @@ export const QuickSetupModal: React.FC<Props> = ({ wizardType, open, onClose, on
   };
 
   const handleWebpageSetup = async () => {
+    if (!UserHelper.checkAccess(Permissions.contentApi.content.edit)) {
+      setError("You don't have permission to perform this action. Required: ContentApi - Content - Edit");
+      return;
+    }
     if (!pageTitle.trim()) {
       setError("Please enter a page title.");
       return;
@@ -145,6 +157,10 @@ export const QuickSetupModal: React.FC<Props> = ({ wizardType, open, onClose, on
   };
 
   const handleGroupSetup = async () => {
+    if (!UserHelper.checkAccess(Permissions.membershipApi.groups.edit)) {
+      setError("You don't have permission to perform this action. Required: MembershipApi - Groups - Edit");
+      return;
+    }
     if (!groupName.trim()) {
       setError("Please enter a group name.");
       return;
diff --git a/src/forms/FormsPage.tsx b/src/forms/FormsPage.tsx
@@ -7,6 +7,7 @@ import { Icon, Table, TableBody, TableCell, TableRow, TableHead, Box, Typography
 import { Description as DescriptionIcon, Add as AddIcon, Archive as ArchiveIcon } from "@mui/icons-material";
 import { SmallButton } from "@churchapps/apphelper";
 import { PageHeader } from "@churchapps/apphelper";
+import { PermissionDenied } from "../components";
 import { useQuery } from "@tanstack/react-query";
 import { SmartTabs } from "../components/ui";
 
@@ -139,6 +140,7 @@ export const FormsPage = () => {
     if (selectedTab === "forms") return <FormEdit formId={selectedFormId} updatedFunction={handleUpdate}></FormEdit>;
   };
 
+  if (!formPermission) return <PermissionDenied permissions={[Permissions.membershipApi.forms.admin, Permissions.membershipApi.forms.edit]} />;
   if (forms.isLoading || archivedForms.isLoading) return <Loading />;
 
   const renderTable = (rows: JSX.Element[], isArchived: boolean) => (
diff --git a/src/groups/components/GroupMembers.tsx b/src/groups/components/GroupMembers.tsx
@@ -36,10 +36,12 @@ export const GroupMembers: React.FC<Props> = memo((props) => {
   const [count, setCount] = useState<number>(0);
   const [showInviteDialog, setShowInviteDialog] = useState<boolean>(false);
 
+  const canView = useMemo(() => UserHelper.checkAccess(Permissions.membershipApi.groupMembers.view), []);
+
   const groupMembers = useQuery<GroupMemberInterface[]>({
     queryKey: [`/groupmembers?groupId=${props.group?.id}`, "MembershipApi"],
     placeholderData: [],
-    enabled: !!props.group?.id
+    enabled: !!props.group?.id && canView
   });
 
   const handleRemove = useCallback(
diff --git a/src/helpers/SecondaryMenuHelper.ts b/src/helpers/SecondaryMenuHelper.ts
@@ -55,10 +55,12 @@ export class SecondaryMenuHelper {
   static getMobileMenu = (path: string) => {
     const menuItems: MenuItem[] = [];
     let label: string = Locale.label("common.mobile");
-    menuItems.push({ url: "/mobile/navigation", label: Locale.label("common.navigation"), icon: "menu" });
-    menuItems.push({ url: "/mobile/theme", label: Locale.label("common.appTheme"), icon: "palette" });
-    menuItems.push({ url: "/mobile/b1-mobile", label: Locale.label("common.b1Mobile"), icon: "phone_android" });
-    menuItems.push({ url: "/mobile/checkin", label: Locale.label("common.b1CheckIn"), icon: "qr_code" });
+    if (UserHelper.checkAccess(Permissions.membershipApi.settings.edit)) {
+      menuItems.push({ url: "/mobile/navigation", label: Locale.label("common.navigation"), icon: "menu" });
+      menuItems.push({ url: "/mobile/theme", label: Locale.label("common.appTheme"), icon: "palette" });
+      menuItems.push({ url: "/mobile/b1-mobile", label: Locale.label("common.b1Mobile"), icon: "phone_android" });
+      menuItems.push({ url: "/mobile/checkin", label: Locale.label("common.b1CheckIn"), icon: "qr_code" });
+    }
 
     if (path.startsWith("/mobile/theme")) label = Locale.label("common.appTheme");
     else if (path.startsWith("/mobile/b1-mobile")) label = Locale.label("common.b1Mobile");
@@ -127,12 +129,14 @@ export class SecondaryMenuHelper {
     const menuItems: MenuItem[] = [];
     let label: string = "Website";
 
-    menuItems.push({ url: "/site/pages", label: "Pages", icon: "article" });
-    menuItems.push({ url: "/site/blocks", label: "Blocks", icon: "widgets" });
-    menuItems.push({ url: "/site/appearance", label: "Appearance", icon: "palette" });
-    menuItems.push({ url: "/site/files", label: "Files", icon: "folder_open" });
-    menuItems.push({ url: "/calendars", label: "Calendars", icon: "calendar_month" });
-    menuItems.push({ url: "/registrations", label: "Registrations", icon: "how_to_reg" });
+    if (UserHelper.checkAccess(Permissions.contentApi.content.edit)) {
+      menuItems.push({ url: "/site/pages", label: "Pages", icon: "article" });
+      menuItems.push({ url: "/site/blocks", label: "Blocks", icon: "widgets" });
+      menuItems.push({ url: "/site/appearance", label: "Appearance", icon: "palette" });
+      menuItems.push({ url: "/site/files", label: "Files", icon: "folder_open" });
+      menuItems.push({ url: "/calendars", label: "Calendars", icon: "calendar_month" });
+      menuItems.push({ url: "/registrations", label: "Registrations", icon: "how_to_reg" });
+    }
 
     if (path.startsWith("/registrations")) label = "Registrations";
     else if (path.startsWith("/site/pages")) label = "Pages";
@@ -148,10 +152,12 @@ export class SecondaryMenuHelper {
   static getSermonsMenu = (path: string) => {
     const menuItems: MenuItem[] = [];
     let label: string = "";
-    menuItems.push({ url: "/sermons", label: "Sermons", icon: "live_tv" });
-    menuItems.push({ url: "/sermons/playlists", label: "Playlists", icon: "video_library" });
-    menuItems.push({ url: "/sermons/times", label: "Live Stream Times", icon: "schedule" });
-    menuItems.push({ url: "/sermons/bulk", label: "Bulk Import", icon: "cloud_upload" });
+    if (UserHelper.checkAccess(Permissions.contentApi.streamingServices.edit)) {
+      menuItems.push({ url: "/sermons", label: "Sermons", icon: "live_tv" });
+      menuItems.push({ url: "/sermons/playlists", label: "Playlists", icon: "video_library" });
+      menuItems.push({ url: "/sermons/times", label: "Live Stream Times", icon: "schedule" });
+      menuItems.push({ url: "/sermons/bulk", label: "Bulk Import", icon: "cloud_upload" });
+    }
 
     if (path.startsWith("/sermons/bulk")) label = "Bulk Import";
     else if (path.startsWith("/sermons/times")) label = "Live Stream Times";
diff --git a/src/mobile/AppThemePage.tsx b/src/mobile/AppThemePage.tsx
@@ -1,13 +1,18 @@
 import React from "react";
 import { Box } from "@mui/material";
-import { Locale, PageHeader } from "@churchapps/apphelper";
+import { Locale, PageHeader, UserHelper, Permissions } from "@churchapps/apphelper";
 import { AppThemeEdit } from "../settings/components/AppThemeEdit";
+import { PermissionDenied } from "../components";
 
-export const AppThemePage: React.FC = () => (
-  <>
-    <PageHeader title={Locale.label("mobile.appThemePage.title")} subtitle={Locale.label("mobile.appThemePage.subtitle")} />
-    <Box sx={{ p: 3 }}>
-      <AppThemeEdit />
-    </Box>
-  </>
-);
+export const AppThemePage: React.FC = () => {
+  if (!UserHelper.checkAccess(Permissions.membershipApi.settings.edit)) return <PermissionDenied permissions={[Permissions.membershipApi.settings.edit]} />;
+
+  return (
+    <>
+      <PageHeader title={Locale.label("mobile.appThemePage.title")} subtitle={Locale.label("mobile.appThemePage.subtitle")} />
+      <Box sx={{ p: 3 }}>
+        <AppThemeEdit />
+      </Box>
+    </>
+  );
+};
diff --git a/src/mobile/B1MobilePage.tsx b/src/mobile/B1MobilePage.tsx
@@ -1,7 +1,8 @@
 import React from "react";
 import { Box, Button, FormControl, Grid, Icon, InputLabel, MenuItem, Select, Stack, Tooltip, Typography } from "@mui/material";
-import { ApiHelper, Locale, PageHeader, UniqueIdHelper, UserHelper } from "@churchapps/apphelper";
+import { ApiHelper, Locale, PageHeader, UniqueIdHelper, UserHelper, Permissions } from "@churchapps/apphelper";
 import type { GenericSettingInterface, GroupInterface, VisibilityPreferenceInterface } from "@churchapps/helpers";
+import { PermissionDenied } from "../components";
 
 export const B1MobilePage: React.FC = () => {
   const [groups, setGroups] = React.useState<GroupInterface[]>(null);
@@ -49,6 +50,8 @@ export const B1MobilePage: React.FC = () => {
 
   React.useEffect(() => { loadData(); }, [loadData]);
 
+  if (!UserHelper.checkAccess(Permissions.membershipApi.settings.edit)) return <PermissionDenied permissions={[Permissions.membershipApi.settings.edit]} />;
+
   const handlePrefChange = (name: string, value: string) => {
     setPref(prev => ({ ...prev, [name]: value }));
   };
diff --git a/src/mobile/CheckInPage.tsx b/src/mobile/CheckInPage.tsx
@@ -1,7 +1,8 @@
 import React from "react";
 import { Box, Button, Icon, Stack, Switch, Tooltip, Typography } from "@mui/material";
-import { ApiHelper, Locale, PageHeader, UniqueIdHelper, UserHelper } from "@churchapps/apphelper";
+import { ApiHelper, Locale, PageHeader, UniqueIdHelper, UserHelper, Permissions } from "@churchapps/apphelper";
 import type { GenericSettingInterface } from "@churchapps/helpers";
+import { PermissionDenied } from "../components";
 
 export const CheckInPage: React.FC = () => {
   const [enabled, setEnabled] = React.useState(false);
@@ -22,6 +23,8 @@ export const CheckInPage: React.FC = () => {
 
   React.useEffect(() => { loadData(); }, [loadData]);
 
+  if (!UserHelper.checkAccess(Permissions.membershipApi.settings.edit)) return <PermissionDenied permissions={[Permissions.membershipApi.settings.edit]} />;
+
   const handleSave = async () => {
     setSaving(true);
     try {
diff --git a/src/registrations/RegistrationDetailsPage.tsx b/src/registrations/RegistrationDetailsPage.tsx
@@ -23,8 +23,9 @@ import {
   Delete as DeleteIcon,
   Download as DownloadIcon
 } from "@mui/icons-material";
-import { ApiHelper, Loading, PageHeader } from "@churchapps/apphelper";
+import { ApiHelper, Loading, PageHeader, UserHelper, Permissions } from "@churchapps/apphelper";
 import { type EventInterface, type RegistrationInterface } from "@churchapps/helpers";
+import { PermissionDenied } from "../components";
 import { RegistrationSettingsEdit } from "./components/RegistrationSettingsEdit";
 
 export const RegistrationDetailsPage = () => {
@@ -105,18 +106,23 @@ export const RegistrationDetailsPage = () => {
       <TableCell>{getStatusChip(reg.status)}</TableCell>
       <TableCell>{reg.registeredDate ? new Date(reg.registeredDate).toLocaleDateString() : ""}</TableCell>
       <TableCell align="right">
-        {reg.status !== "cancelled" && (
-          <Tooltip title="Cancel Registration" arrow>
-            <IconButton size="small" onClick={() => handleCancel(reg.id)} color="warning"><CancelIcon fontSize="small" /></IconButton>
-          </Tooltip>
+        {UserHelper.checkAccess(Permissions.contentApi.content.edit) && (
+          <>
+            {reg.status !== "cancelled" && (
+              <Tooltip title="Cancel Registration" arrow>
+                <IconButton size="small" onClick={() => handleCancel(reg.id)} color="warning"><CancelIcon fontSize="small" /></IconButton>
+              </Tooltip>
+            )}
+            <Tooltip title="Delete" arrow>
+              <IconButton size="small" onClick={() => handleDelete(reg.id)} color="error"><DeleteIcon fontSize="small" /></IconButton>
+            </Tooltip>
+          </>
         )}
-        <Tooltip title="Delete" arrow>
-          <IconButton size="small" onClick={() => handleDelete(reg.id)} color="error"><DeleteIcon fontSize="small" /></IconButton>
-        </Tooltip>
       </TableCell>
     </TableRow>
   ));
 
+  if (!UserHelper.checkAccess(Permissions.contentApi.content.edit)) return <PermissionDenied permissions={[Permissions.contentApi.content.edit]} />;
   if (loading) return <Box sx={{ p: 3, textAlign: "center" }}><Loading /></Box>;
   if (!event) return <Typography>Event not found</Typography>;
 
diff --git a/src/registrations/RegistrationsPage.tsx b/src/registrations/RegistrationsPage.tsx
@@ -14,8 +14,9 @@ import {
   LinearProgress
 } from "@mui/material";
 import { HowToReg as RegIcon } from "@mui/icons-material";
-import { ApiHelper, Loading, PageHeader } from "@churchapps/apphelper";
+import { ApiHelper, Loading, PageHeader, UserHelper, Permissions } from "@churchapps/apphelper";
 import { type EventInterface } from "@churchapps/helpers";
+import { PermissionDenied } from "../components";
 
 export const RegistrationsPage = () => {
   const navigate = useNavigate();
@@ -42,6 +43,8 @@ export const RegistrationsPage = () => {
 
   useEffect(() => { loadData(); }, []);
 
+  if (!UserHelper.checkAccess(Permissions.contentApi.content.edit)) return <PermissionDenied permissions={[Permissions.contentApi.content.edit]} />;
+
   const getCapacityDisplay = (event: EventInterface) => {
     const count = counts[event.id] || 0;
     if (!event.capacity) return <Typography variant="body2">{count} registered</Typography>;
diff --git a/src/serverAdmin/AdminPage.tsx b/src/serverAdmin/AdminPage.tsx
@@ -1,5 +1,6 @@
 import React from "react";
-import { Locale } from "@churchapps/apphelper";
+import { Locale, UserHelper, Permissions } from "@churchapps/apphelper";
+import { PermissionDenied } from "../components";
 import { Grid, Box, List, ListItem, ListItemButton, ListItemIcon, ListItemText, Card, CardContent } from "@mui/material";
 import { Church as ChurchIcon, ShowChart as UsageIcon, Book as TranslationIcon, Settings as AdminIcon, PersonSearch as UserIcon } from "@mui/icons-material";
 import { PageHeader } from "@churchapps/apphelper";
@@ -11,6 +12,8 @@ import { UsersTab } from "./components/UsersTab";
 export const AdminPage = () => {
   const [selectedTab, setSelectedTab] = React.useState("churches");
 
+  if (!UserHelper.checkAccess(Permissions.membershipApi.server.admin)) return <PermissionDenied permissions={[Permissions.membershipApi.server.admin]} />;
+
   const getCurrentTab = () => {
     switch (selectedTab) {
       case "churches": return <ChurchesTab key="churches" />;
diff --git a/src/serverAdmin/ReportPage.tsx b/src/serverAdmin/ReportPage.tsx
diff --git a/src/settings/ManageChurch.tsx b/src/settings/ManageChurch.tsx
diff --git a/src/settings/MobileAppSettingsPage.tsx b/src/settings/MobileAppSettingsPage.tsx
diff --git a/src/site/AppearancePage.tsx b/src/site/AppearancePage.tsx
diff --git a/src/site/BlocksPage.tsx b/src/site/BlocksPage.tsx
diff --git a/src/site/FilesPage.tsx b/src/site/FilesPage.tsx
diff --git a/src/site/PagesPage.tsx b/src/site/PagesPage.tsx
