feat(permissions): implement user permissions management system (#99)

Implement comprehensive user permissions management for projects with role-based access control.

- Add user management API endpoints (add/update/remove users)
- Create user permissions UI components (table, form, matrix)
- Implement route guards and conditional UI for settings access
- Simplify from project/committee scope to project-wide roles
- Update E2E tests for permission-based settings visibility

JIRA: LFXV2-548, LFXV2-549, LFXV2-550, LFXV2-551, LFXV2-552, LFXV2-553, LFXV2-554

Generated with [Claude Code](https://claude.ai/code)

Signed-off-by: Asitha de Silva <asithade@gmail.com>

Author: asithade

apps/lfx-one/e2e/project-dashboard.spec.ts

@@ -82,7 +82,21 @@ test.describe('Project Dashboard', () => {
         await expect(page.getByTestId('menu-item').filter({ hasText: 'Meetings' })).toBeVisible();
         await expect(page.getByTestId('menu-item').filter({ hasText: 'Committees' })).toBeVisible();
         // await expect(page.getByTestId('menu-item').filter({ hasText: 'Mailing Lists' })).toBeVisible();
-        // await expect(page.getByTestId('menu-item').filter({ hasText: 'Settings' })).toBeVisible();
+        await expect(page.getByTestId('menu-item').filter({ hasText: 'Settings' })).toBeVisible();
+      });
+
+      test('should display Settings menu for users with write permissions', async ({ page }) => {
+        // Settings should be visible in both desktop and mobile views for users with write permissions
+        const viewport = page.viewportSize();
+        const isMobile = viewport && viewport.width < 768;
+
+        if (isMobile) {
+          // On mobile, Settings should be visible as mobile-menu-item
+          await expect(page.getByTestId('mobile-menu-item').filter({ hasText: 'Settings' })).toBeVisible();
+        } else {
+          // On desktop, Settings should be visible as menu-item
+          await expect(page.getByTestId('menu-item').filter({ hasText: 'Settings' })).toBeVisible();
+        }
       });
     });
 
@@ -425,8 +439,22 @@ test.describe('Without Write Permissions', () => {
       await expect(page.getByTestId('menu-item').filter({ hasText: 'Committees' })).toBeVisible();
       // await expect(page.getByTestId('menu-item').filter({ hasText: 'Mailing Lists' })).toBeVisible();
 
-      // Settings tab should also be accessible (though it may have limited functionality)
-      // await expect(page.getByTestId('menu-item').filter({ hasText: 'Settings' })).toBeVisible();
+      // Settings tab should NOT be visible for users without write permissions
+      await expect(page.getByTestId('menu-item').filter({ hasText: 'Settings' })).not.toBeVisible();
+    });
+
+    test('should NOT display Settings menu for users without write permissions', async ({ page }) => {
+      // Settings should NOT be visible in either desktop or mobile views for users without write permissions
+      const viewport = page.viewportSize();
+      const isMobile = viewport && viewport.width < 768;
+
+      if (isMobile) {
+        // On mobile, Settings should NOT be visible as mobile-menu-item
+        await expect(page.getByTestId('mobile-menu-item').filter({ hasText: 'Settings' })).not.toBeVisible();
+      } else {
+        // On desktop, Settings should NOT be visible as menu-item
+        await expect(page.getByTestId('menu-item').filter({ hasText: 'Settings' })).not.toBeVisible();
+      }
     });
   });
 
@@ -455,6 +483,9 @@ test.describe('Without Write Permissions', () => {
       // Should only have 2 menu items on mobile for read-only users
       const quickActionsSection = page.getByText('Quick Actions').locator('..');
       await expect(quickActionsSection.getByRole('menuitem')).toHaveCount(2);
+
+      // Settings should NOT be visible on mobile for read-only users
+      await expect(page.getByTestId('mobile-menu-item').filter({ hasText: 'Settings' })).not.toBeVisible();
     });
   });
 });

apps/lfx-one/src/app/layouts/project-layout/project-layout.component.html

@@ -56,31 +56,33 @@ <h1 class="text-2xl font-display font-semibold text-gray-900 mb-3">
             {{ menu.label }}
           </a>
         }
-        <div class="flex md:hidden">
+        @if (hasWriterAccess()) {
+          <div class="flex md:hidden">
+            <a
+              routerLink="/project/{{ projectSlug() }}/settings"
+              class="pill"
+              routerLinkActive="bg-blue-50 text-blue-600 border-0 block md:hidden"
+              data-testid="mobile-menu-item"
+              [routerLinkActiveOptions]="{ exact: true }">
+              <i class="fa-light fa-gear"></i>
+              <span>Settings</span>
+            </a>
+          </div>
+        }
+      </div>
+      @if (hasWriterAccess()) {
+        <div class="items-center gap-3 hidden md:flex">
           <a
             routerLink="/project/{{ projectSlug() }}/settings"
             class="pill"
-            routerLinkActive="bg-blue-50 text-blue-600 border-0 block md:hidden"
-            data-testid="mobile-menu-item"
+            routerLinkActive="bg-blue-50 text-blue-600 border-0"
+            data-testid="menu-item"
             [routerLinkActiveOptions]="{ exact: true }">
             <i class="fa-light fa-gear"></i>
             <span>Settings</span>
           </a>
         </div>
-      </div>
-      <!-- TODO: Add settings menu item back in
-      <div class="items-center gap-3 hidden md:flex">
-        <a
-          routerLink="/project/{{ projectSlug() }}/settings"
-          class="pill"
-          routerLinkActive="bg-blue-50 text-blue-600 border-0"
-          data-testid="menu-item"
-          [routerLinkActiveOptions]="{ exact: true }">
-          <i class="fa-light fa-gear"></i>
-          <span>Settings</span>
-        </a>
-      </div>
-      -->
+      }
     </div>
   </div>
 </div>

apps/lfx-one/src/app/layouts/project-layout/project-layout.component.ts

@@ -44,6 +44,7 @@ export class ProjectLayoutComponent {
   public readonly categoryLabel = computed(() => this.project()?.slug || '');
   public readonly projectSlug = computed(() => this.project()?.slug || '');
   public readonly projectLogo = computed(() => this.project()?.logo_url || '');
+  public readonly hasWriterAccess = computed(() => this.project()?.writer === true);
   public readonly breadcrumbItems = input<MenuItem[]>([
     {
       label: 'All Projects',

apps/lfx-one/src/app/modules/project/project.routes.ts

@@ -3,6 +3,8 @@
 
 import { Routes } from '@angular/router';
 
+import { writerGuard } from '../../shared/guards/writer.guard';
+
 export const PROJECT_ROUTES: Routes = [
   {
     path: '',
@@ -26,6 +28,7 @@ export const PROJECT_ROUTES: Routes = [
   {
     path: 'settings',
     loadComponent: () => import('./settings/settings-dashboard/settings-dashboard.component').then((m) => m.SettingsDashboardComponent),
+    canActivate: [writerGuard],
     data: { preload: false }, // Settings accessed less frequently, don't preload
   },
 ];

apps/lfx-one/src/app/modules/project/settings/components/permissions-matrix/permissions-matrix.component.html

@@ -4,10 +4,7 @@
   <div class="space-y-4">
     <!-- Key Points -->
     <div class="bg-blue-50 border border-blue-200 rounded p-3">
-      <p class="text-xs text-blue-800">
-        <strong>Key:</strong> Project permissions apply to all resources. Committee permissions are limited to assigned committees and their associated meetings
-        and/or mailing lists only.
-      </p>
+      <p class="text-xs text-blue-800"><strong>Key:</strong> All permissions apply to the entire project including committees, meetings, and mailing lists.</p>
     </div>
 
     <!-- Compact Permission Matrix -->

apps/lfx-one/src/app/modules/project/settings/components/permissions-matrix/permissions-matrix.component.ts

@@ -28,36 +28,6 @@ export class PermissionsMatrixComponent {
       level: 'Manage',
       description: 'Manage all project resources',
       capabilities: ['Manage project, committees, meetings, mailing lists'],
-      badge: {
-        color: 'text-blue-800',
-        bgColor: 'bg-blue-100',
-      },
-    },
-    {
-      scope: 'Committee',
-      level: 'View',
-      description: 'View specific committee only, including meetings and mailing lists that are associated with the committees.',
-      capabilities: [
-        'View project (limited to committees)',
-        'View assigned committees',
-        'View meetings associated with the committees',
-        'View mailing lists associated with the committees',
-      ],
-      badge: {
-        color: 'text-green-800',
-        bgColor: 'bg-green-100',
-      },
-    },
-    {
-      scope: 'Committee',
-      level: 'Manage',
-      description: 'Manage specific committee only, including meetings and mailing lists that are associated with the committees.',
-      capabilities: [
-        'View project (limited to committees)',
-        'Manage assigned committees',
-        'Manage meetings associated with the committees',
-        'Manage mailing lists associated with the committees',
-      ],
       badge: {
         color: 'text-green-800',
         bgColor: 'bg-green-100',

apps/lfx-one/src/app/modules/project/settings/components/user-form/user-form.component.html

@@ -2,95 +2,34 @@
 <!-- SPDX-License-Identifier: MIT -->
 
 <form [formGroup]="form()" (ngSubmit)="onSubmit()" class="space-y-6">
-  <!-- Basic Information Section -->
+  <!-- User Information Section -->
   <div class="flex flex-col gap-3">
-    <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
-      <!-- First Name -->
-      <div>
-        <label for="first-name" class="block text-sm font-medium text-gray-700 mb-1"> First Name <span class="text-red-500">*</span> </label>
-        <lfx-input-text
-          size="small"
-          [form]="form()"
-          control="first_name"
-          id="first-name"
-          placeholder="Enter first name"
-          styleClass="w-full"
-          data-testid="settings-user-form-first-name"></lfx-input-text>
-        @if (form().get('first_name')?.errors?.['required'] && form().get('first_name')?.touched) {
-          <p class="mt-1 text-xs text-red-600">First name is required</p>
-        }
-      </div>
-
-      <!-- Last Name -->
-      <div>
-        <label for="last-name" class="block text-sm font-medium text-gray-700 mb-1"> Last Name <span class="text-red-500">*</span> </label>
-        <lfx-input-text
-          size="small"
-          [form]="form()"
-          control="last_name"
-          id="last-name"
-          placeholder="Enter last name"
-          styleClass="w-full"
-          data-testid="settings-user-form-last-name"></lfx-input-text>
-        @if (form().get('last_name')?.errors?.['required'] && form().get('last_name')?.touched) {
-          <p class="mt-1 text-xs text-red-600">Last name is required</p>
-        }
-      </div>
-    </div>
-
-    <!-- Email Address -->
+    <!-- Username -->
     <div>
-      <label for="email" class="block text-sm font-medium text-gray-700 mb-1"> Email Address <span class="text-red-500">*</span> </label>
+      <label for="username" class="block text-sm font-medium text-gray-700 mb-1"> Username <span class="text-red-500">*</span> </label>
       <lfx-input-text
         size="small"
         [form]="form()"
-        control="email"
-        id="email"
-        placeholder="Enter email address"
+        control="username"
+        id="username"
+        placeholder="Enter username"
         styleClass="w-full"
-        data-testid="settings-user-form-email"></lfx-input-text>
-      @if (form().get('email')?.errors?.['required'] && form().get('email')?.touched) {
-        <p class="mt-1 text-xs text-red-600">Email address is required</p>
-      }
-      @if (form().get('email')?.errors?.['email'] && form().get('email')?.touched) {
-        <p class="mt-1 text-xs text-red-600">Please enter a valid email address</p>
+        data-testid="settings-user-form-username"></lfx-input-text>
+      @if (form().get('username')?.errors?.['required'] && form().get('username')?.touched) {
+        <p class="mt-1 text-xs text-red-600">Username is required</p>
       }
     </div>
   </div>
 
   <!-- Permission Settings Section -->
   <div class="flex flex-col gap-3">
-    <!-- Permission Scope -->
-    <div>
-      <div class="flex items-center gap-2 mb-3">
-        <label class="block text-sm font-medium text-gray-700">Permission Scope</label>
-        <i
-          class="fa-light fa-info-circle text-gray-400 cursor-help"
-          [pTooltip]="scopeTooltip"
-          tooltipPosition="right"
-          [escape]="false"
-          tooltipStyleClass="text-xs max-w-sm"></i>
-      </div>
-      <div class="flex flex-col gap-2">
-        @for (option of permissionScopeOptions; track option.value) {
-          <lfx-radio-button
-            [form]="form()"
-            control="permission_scope"
-            name="permission_scope"
-            [inputId]="'scope-' + option.value"
-            [value]="option.value"
-            [label]="option.label"></lfx-radio-button>
-        }
-      </div>
-    </div>
-
-    <!-- Permission Level -->
+    <!-- Role Selection -->
     <div>
       <div class="flex items-center gap-2 mb-3">
-        <label class="block text-sm font-medium text-gray-700">Permission Level</label>
+        <label class="block text-sm font-medium text-gray-700">Role</label>
         <i
           class="fa-light fa-info-circle text-gray-400 cursor-help"
-          [pTooltip]="levelTooltip"
+          [pTooltip]="roleTooltip"
           tooltipPosition="right"
           [escape]="false"
           tooltipStyleClass="text-xs max-w-sm"></i>
@@ -99,50 +38,22 @@
         @for (option of permissionLevelOptions; track option.value) {
           <lfx-radio-button
             [form]="form()"
-            control="permission_level"
-            name="permission_level"
-            [inputId]="'level-' + option.value"
+            control="role"
+            name="role"
+            [inputId]="'role-' + option.value"
             [value]="option.value"
             [label]="option.label"></lfx-radio-button>
         }
       </div>
     </div>
 
-    <!-- Committee Selection (only when scope is committee) -->
-    @if (form().get('permission_scope')?.value === 'committee') {
-      <div>
-        <label for="committee-ids" class="block text-sm font-medium text-gray-700 mb-1">Select Committees <span class="text-red-500">*</span></label>
-        <p class="text-xs text-gray-500 mb-2">Choose which committees this user can access</p>
-        <lfx-multi-select
-          [form]="form()"
-          control="committee_ids"
-          [options]="committees()"
-          size="small"
-          placeholder="Select committees"
-          appendTo="body"
-          id="committee-ids"
-          data-testid="settings-user-form-committee-ids"
-          styleClass="w-full"></lfx-multi-select>
-        @if (form().get('committee_ids')?.errors?.['required'] && form().get('committee_ids')?.touched) {
-          <p class="mt-1 text-xs text-red-600">At least one committee must be selected</p>
-        }
-      </div>
-    }
-
     <!-- Permission Summary -->
     <div class="bg-gray-50 p-3 rounded-md text-sm">
       <div class="font-medium text-gray-700 mb-1">Permission Summary:</div>
-      @if (form().get('permission_scope')?.value === 'project') {
-        <div class="text-gray-600">
-          <strong>{{ form().get('permission_level')?.value === 'read' ? 'View-only' : 'Full' }}</strong> access to <strong>entire project</strong> including all
-          committees, meetings, and mailing lists.
-        </div>
-      } @else {
-        <div class="text-gray-600">
-          <strong>{{ form().get('permission_level')?.value === 'read' ? 'View-only' : 'Full' }}</strong> access to <strong>selected committees</strong> and
-          their associated meetings and mailing lists only.
-        </div>
-      }
+      <div class="text-gray-600">
+        <strong>{{ form().get('role')?.value === 'view' ? 'View-only' : 'Full management' }}</strong> access to the <strong>entire project</strong> including
+        all committees, meetings, and mailing lists.
+      </div>
     </div>
   </div>
 
@@ -166,16 +77,9 @@
   </div>
 </form>
 
-<ng-template #scopeTooltip>
-  <div class="flex flex-col">
-    <div><strong>Project:</strong> Access to entire project including all committees, meetings, and mailing lists</div>
-    <div><strong>Committee:</strong> Access limited to specific committees and their associated content only</div>
-  </div>
-</ng-template>
-
-<ng-template #levelTooltip>
+<ng-template #roleTooltip>
   <div class="flex flex-col">
-    <div><strong>View:</strong> Read-only access to view and browse content</div>
-    <div><strong>Manage:</strong> Full access to create, edit, delete, and manage content</div>
+    <div><strong>View:</strong> Read-only access to view and browse all project content</div>
+    <div><strong>Manage:</strong> Full access to create, edit, delete, and manage all project content</div>
   </div>
 </ng-template>