@saooti/octopus-sdk 41.7.1 → 41.7.3

package/CHANGELOG.md

@@ -1,6 +1,22 @@
 # CHANGELOG
 
-## 41.7.1 (En cours)
+## 41.7.3 (11/03/2026)
+
+**Features**
+
+- Intégration du composable de vérification des droits
+
+**Fix**
+
+- Correction affichage épisodes à valider pour `PODCAST_VALIDATION`.
+
+## 41.7.2 (10/03/2026)
+
+**Fix**
+
+- Correction tri épisodes dans `PodcastPresentationList`
+
+## 41.7.1 (10/03/2026)
 
 **Fix**
 

package/index.ts

@@ -118,6 +118,7 @@ export const getClassicTagInput = () => import("./src/components/form/ClassicTag
 export const getClassicWysiwyg = () => import("./src/components/form/ClassicWysiwyg.vue");
 
 //Composable
+import { useRights, EditRight } from "./src/components/composable/useRights.ts";
 import {useResizePhone} from "./src/components/composable/useResizePhone";
 import {useTagOf} from "./src/components/composable/useTagOf.ts";
 import {useSelenium} from "./src/components/composable/useSelenium.ts";
@@ -202,6 +203,8 @@ import { ROUTE_PARAMS } from "./src/components/composable/route/types";
 import { defineAsyncComponent } from "vue";
 
 export {
+    useRights,
+    EditRight,
     useResizePhone,
     useTagOf,
     useSelenium,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@saooti/octopus-sdk",
-  "version": "41.7.1",
+  "version": "41.7.3",
   "private": false,
   "description": "Javascript SDK for using octopus",
   "author": "Saooti",

package/src/components/composable/route/useAdvancedParamInit.ts

@@ -9,6 +9,7 @@ import dayjs from "dayjs";
 
 import { RouteProps } from "./types";
 import { EmissionGroup, groupsApi } from "../../../api/groupsApi";
+import { useRights } from "../useRights";
 
 export const useAdvancedParamInit = (props: RouteProps, isEmission: boolean) => {
 
@@ -18,7 +19,7 @@ export const useAdvancedParamInit = (props: RouteProps, isEmission: boolean) =>
 
   const filterStore  = useFilterStore();
   const authStore  = useAuthStore();
-
+  const { canValidatePodcast } = useRights();
 
   const isInit = ref(false);
   const monetisable = ref("UNDEFINED");// UNDEFINED, YES, NO
@@ -125,8 +126,8 @@ export const useAdvancedParamInit = (props: RouteProps, isEmission: boolean) =>
     includeHidden.value = undefined !== organisation.value && organisationRight.value && "false"!==props.routeIncludeHidden;
   }
 
-  function initValidity(){
-    const cantDisplay = isPodcastmaker.value || isEmission || !includeHidden.value || !authStore.isRoleContribution || !organisationRight.value;
+  function initValidity() {
+    const cantDisplay = isPodcastmaker.value || isEmission || !includeHidden.value || !canValidatePodcast();
     if(cantDisplay){
       validity.value = "true";
     }else{

package/src/components/composable/useRights.ts

@@ -0,0 +1,196 @@
+import { useAuthStore } from "../../stores/AuthStore";
+import type { Emission } from "../../stores/class/general/emission";
+import type { Podcast } from "../../stores/class/general/podcast";
+
+type Role =
+    'ADMIN'|'ORGANISATION'|
+    'PRODUCTION'|'RESTRICTED_PRODUCTION'|'PODCAST_CRUD'|'PODCAST_VALIDATION'|
+    'PLAYLISTS'|'RESTRICTED_ANIMATION';
+
+export enum EditRight {
+    None,          // User cannot edit
+    Restricted,    // User cannot edit because element is used elsewhere
+    Full           // User can edit
+}
+/**
+ * Composable to manage rights.
+ * Based on AuthStore, but converts roles to easily usable tests for various
+ * actions.
+ */
+export const useRights = () => {
+    const authStore = useAuthStore();
+
+    function roleContainsAny(...roles: Role[]): boolean {
+	    return (authStore.authRole as Role[]).findIndex((r: Role) => roles.includes(r)) > -1;
+    }
+
+    // Creation is limited by roles
+    function canCreateEmission(): boolean {
+	    return roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION');
+    }
+
+    function canEditEmission(emission: Emission): boolean {
+        if (
+            // Can edit new emissions
+            (!emission.emissionId && canCreateEmission()) ||
+            // Can edit when with sufficient rights
+		    roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION')
+        ) {
+            return true;
+        }
+
+	    // Can only edit if has created the emission
+	    return (roleContainsAny('RESTRICTED_PRODUCTION') && emission.createdByUserId === authStore.authProfile?.userId);
+    }
+
+    function canDeleteEmission(): boolean {
+	    // In case of restricted production, it will only delete podcasts
+	    // created by user, and delete the emission only if empty afterwards
+	    return roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION');
+    }
+
+    function canEditCommentsConfigEmission(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION');
+    }
+
+    function canCreatePodcast(): boolean {
+        // All roles that can create podcasts
+        return roleContainsAny(
+            'ADMIN',
+            'ORGANISATION',
+            'PRODUCTION',
+            'PODCAST_CRUD',
+            'RESTRICTED_PRODUCTION',
+            'RESTRICTED_ANIMATION'
+        );
+    }
+
+    function canDuplicatePodcast(): boolean {
+        // Same as creationm but notably without PODCAST_CRUD and
+        // RESTRICTED_ANIMATION
+        return roleContainsAny(
+            'ADMIN',
+            'ORGANISATION',
+            'PRODUCTION',
+            'RESTRICTED_PRODUCTION',
+        );
+    }
+
+    function canEditPodcast(podcast: Podcast): boolean {
+        // Full rights users can edit any podcast
+        if (roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION')) {
+            return true;
+        }
+
+        // RESTRICTED users can only edit their own podcasts
+        if (roleContainsAny('RESTRICTED_PRODUCTION', 'RESTRICTED_ANIMATION')) {
+            return podcast.createdByUserId === authStore.authProfile?.userId;
+        }
+
+        // PODCAST_CRUD can only edit their own non-valid podcasts
+        if (roleContainsAny('PODCAST_CRUD')) {
+            return podcast.valid === false &&
+                   podcast.publisher?.userId === authStore.authProfile?.userId;
+        }
+
+        return false;
+    }
+
+    function canDeletePodcast(podcast: Podcast): boolean {
+        // Same permissions as editing
+        return canEditPodcast(podcast);
+    }
+
+    function canValidatePodcast(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION', 'PODCAST_VALIDATION');
+    }
+
+    function canEditCommentsConfigPodcast(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION');
+    }
+
+    function canCreatePlaylist(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION', 'PLAYLISTS');
+    }
+
+    function canEditPlaylist(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION', 'PLAYLISTS');
+    }
+
+    function canDeletePlaylist(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION', 'PLAYLISTS');
+    }
+
+    function canCreateParticipant(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION');
+    }
+
+    async function getParticipantEditRight(participantId: number|undefined): Promise<EditRight> {
+        // New participants can be edited, and also with sufficient rights
+	    if(!participantId || roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION')) {
+	        return EditRight.Full;
+	    } else {
+	        return EditRight.None;
+	    }
+    }
+
+    async function canEditParticipant(participantId: number|undefined): Promise<boolean> {
+        const editRight = await getParticipantEditRight(participantId);
+        return editRight === EditRight.Full;
+    }
+
+
+    async function canDeleteParticipant(participantId: number|undefined): Promise<boolean> {
+        const editRight = await getParticipantEditRight(participantId);
+        return editRight === EditRight.Full;
+    }
+
+    function canEditCodeInsertPlayer(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION');
+    }
+
+    function canEditTranscript(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION');
+    }
+
+    function canSeeHistory(): boolean {
+        return roleContainsAny('ADMIN', 'ORGANISATION');
+    }
+
+    function isRestrictedProduction(): boolean {
+        return roleContainsAny('RESTRICTED_PRODUCTION') && !roleContainsAny('ADMIN', 'ORGANISATION', 'PRODUCTION');
+    }
+
+    return {
+        // Emissions
+        canCreateEmission,
+        canEditEmission,
+        canDeleteEmission,
+        canEditCommentsConfigEmission,
+
+        // Podcasts
+        canCreatePodcast,
+        canDuplicatePodcast,
+        canEditPodcast,
+        canDeletePodcast,
+        canValidatePodcast,
+        canEditCommentsConfigPodcast,
+
+        // Playlists
+        canCreatePlaylist,
+        canEditPlaylist,
+        canDeletePlaylist,
+
+        // Participants
+        canCreateParticipant,
+        getParticipantEditRight,
+        canEditParticipant,
+        canDeleteParticipant,
+
+        // Other
+        canEditCodeInsertPlayer,
+        canEditTranscript,
+        canSeeHistory,
+        isRestrictedProduction
+    }
+}

package/src/components/display/live/RadioPlanning.vue

@@ -254,9 +254,7 @@ function createArrayDays() {
     });
   }
 }
-async function fetchOccurrencesAndLives(): Promise<
-  Array<PlanningOccurrence | PlanningLive>
-> {
+async function fetchOccurrencesAndLives(): Promise<Array<PlanningOccurrence|PlanningLive>> {
   const params = {
     canalId: props.radio?.id,
     from:startOfDay.value,
@@ -275,6 +273,7 @@ async function fetchOccurrencesAndLives(): Promise<
     path: "live/list",
     parameters: params,
   });
+
   if (lives.length) {
     occurrences = occurrences.concat(lives);
     occurrences.sort((a, b) => {
@@ -286,6 +285,7 @@ async function fetchOccurrencesAndLives(): Promise<
   }
   return occurrences;
 }
+
 async function fetchOccurrences(): Promise<void> {
   if (planning.value[daySelected.value]) {
     return;
@@ -310,6 +310,7 @@ async function fetchOccurrences(): Promise<void> {
       ) {
         periodDayIndex += 1;
       }
+
       switch (periodOfDay.value[periodDayIndex].id) {
         case "morning":
           planning.value[daySelected.value].morning.push(occ);
@@ -325,8 +326,9 @@ async function fetchOccurrences(): Promise<void> {
       }
       planningLength.value[daySelected.value] += 1;
     }
-  } catch {
+  } catch(e) {
     error.value = true;
+    console.error(e);
   }
   loading.value = false;
 }

package/src/components/display/podcasts/PodcastPresentationList.vue

@@ -116,9 +116,15 @@ async function fetchNext(): Promise<void> {
         return simplifiedToFull(p, emission.orga, emission);
       })
     );
+
+    // Sort podcasts by pub date so that the most recent one is focused
+    podcasts.value.sort((p1, p2) => {
+      return new Date(p2.pubDate).getTime() - new Date(p1.pubDate).getTime();
+    });
+    
     loading.value = false;
   } catch (errorWs) {
-    console.log(errorWs);
+    console.error(errorWs);
     handle403(errorWs as AxiosError);
     error.value = true;
   }

package/tests/components/composable/useAdvancedParamInit.spec.ts

@@ -0,0 +1,90 @@
+import '@tests/mocks/useRouter';
+
+import { describe, expect, it, vi, beforeEach } from 'vitest';
+import { defineComponent, nextTick } from 'vue';
+import { mount as _mount } from '@vue/test-utils';
+
+import { useAdvancedParamInit } from '@/components/composable/route/useAdvancedParamInit';
+import { state } from '@/stores/ParamSdkStore';
+import { setupPinia, setupAuthStore } from '@tests/utils';
+import type { RouteProps } from '@/components/composable/route/types';
+
+vi.mock('@/api/groupsApi', () => ({
+    groupsApi: { getAllById: vi.fn().mockResolvedValue({}) }
+}));
+
+async function setupComposable(
+    props: RouteProps,
+    isEmission: boolean,
+    patchStores?: () => void | Promise<void>
+): Promise<ReturnType<typeof useAdvancedParamInit>> {
+    let result!: ReturnType<typeof useAdvancedParamInit>;
+
+    const pinia = setupPinia();
+    await patchStores?.();
+
+    _mount(defineComponent({
+        setup() { result = useAdvancedParamInit(props, isEmission); return {}; },
+        template: '<div/>'
+    }), { global: { plugins: [pinia] } });
+
+    await nextTick(); // allow onMounted
+    await nextTick(); // allow isInit via nextTick in initAdvancedParams
+
+    return result;
+}
+
+describe('useAdvancedParamInit', () => {
+    beforeEach(() => {
+        state.generalParameters.podcastmaker = false;
+    });
+
+    describe('initValidity', () => {
+        const propsWithHidden: RouteProps = { routeValidity: 'false', routeIncludeHidden: 'true' };
+        const withOrg = (roles: string[]) => setupAuthStore({ roles, organisationId: 'test-org-id' });
+
+        describe('forces validity to "true"', () => {
+            it('when isEmission is true', async () => {
+                const { validity } = await setupComposable(propsWithHidden, true, withOrg(['PRODUCTION']));
+                expect(validity.value).toBe('true');
+            });
+
+            it('when isPodcastmaker is true', async () => {
+                state.generalParameters.podcastmaker = true;
+                const { validity } = await setupComposable(propsWithHidden, false, withOrg(['PRODUCTION']));
+                expect(validity.value).toBe('true');
+            });
+
+            it('when includeHidden is false (no org)', async () => {
+                // authOrgaId starts undefined → filterOrgaId undefined → organisation undefined → includeHidden false
+                const { validity } = await setupComposable(propsWithHidden, false);
+                expect(validity.value).toBe('true');
+            });
+
+            it('when routeIncludeHidden is "false"', async () => {
+                const { validity } = await setupComposable(
+                    { routeValidity: 'false', routeIncludeHidden: 'false' },
+                    false,
+                    withOrg(['PRODUCTION'])
+                );
+                expect(validity.value).toBe('true');
+            });
+
+            (['PODCAST_CRUD', 'RESTRICTED_PRODUCTION', 'PLAYLISTS'] as const).forEach(role => {
+                it(`when role cannot validate (${role})`, async () => {
+                    const { validity } = await setupComposable(propsWithHidden, false, withOrg([role]));
+                    expect(validity.value).toBe('true');
+                });
+            });
+        });
+
+        describe('uses routeValidity when canValidatePodcast() is true', () => {
+            (['ADMIN', 'ORGANISATION', 'PRODUCTION', 'PODCAST_VALIDATION'] as const).forEach(role => {
+                it(`allows role ${role}`, async () => {
+                    const { validity } = await setupComposable(propsWithHidden, false, withOrg([role]));
+                    expect(validity.value).toBe('false');
+                });
+            });
+        });
+    });
+});

package/tests/components/composable/useRights.spec.ts

@@ -0,0 +1,265 @@
+import { describe, expect, it } from 'vitest';
+import { setupPinia, setupAuthStore } from '@tests/utils';
+import { useAuthStore } from '@/stores/AuthStore';
+import { useRights } from '@/components/composable/useRights';
+import type { Organisation } from '@/stores/class/general/organisation';
+import type { Emission } from '@/stores/class/general/emission';
+import type { Podcast } from '@/stores/class/general/podcast';
+
+async function setup(roles: string[], userId = 'test-user-123'): Promise<void> {
+    setupPinia();
+    await setupAuthStore({ roles })();
+    useAuthStore().$patch({ authProfile: { userId } });
+}
+
+describe('useRights', () => {
+    describe('Emission permissions', () => {
+        describe('canCreateEmission', () => {
+            ['ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION'].forEach(role => {
+                it(`allows ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canCreateEmission()).toBe(true);
+                });
+            });
+
+            it('denies unrelated roles', async () => {
+                await setup(['PLAYLISTS']);
+                expect(useRights().canCreateEmission()).toBe(false);
+            });
+        });
+
+        describe('canEditEmission', () => {
+            it('allows ADMIN to edit any emission', async () => {
+                await setup(['ADMIN']);
+                expect(useRights().canEditEmission({ emissionId: 1, createdByUserId: 'other-user' } as Emission)).toBe(true);
+            });
+
+            it('allows RESTRICTED_PRODUCTION to edit own emission', async () => {
+                await setup(['RESTRICTED_PRODUCTION']);
+                expect(useRights().canEditEmission({ emissionId: 1, createdByUserId: 'test-user-123' } as Emission)).toBe(true);
+            });
+
+            it('denies RESTRICTED_PRODUCTION editing others\' emission', async () => {
+                await setup(['RESTRICTED_PRODUCTION']);
+                expect(useRights().canEditEmission({ emissionId: 1, createdByUserId: 'other-user' } as Emission)).toBe(false);
+            });
+
+            it('allows editing new emissions if can create', async () => {
+                await setup(['PRODUCTION']);
+                const newEmission = {
+                    emissionId: undefined,
+                    beneficiaries: [],
+                    description: '',
+                    monetisable: false,
+                    name: 'New Emission',
+                    orga: {} as Organisation,
+                    rubriqueIds: []
+                } as unknown as Emission;
+                expect(useRights().canEditEmission(newEmission)).toBe(true);
+            });
+        });
+
+        describe('canDeleteEmission', () => {
+            ['ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION'].forEach(role => {
+                it(`allows ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canDeleteEmission()).toBe(true);
+                });
+            });
+
+            it('denies unrelated roles', async () => {
+                await setup(['PLAYLISTS']);
+                expect(useRights().canDeleteEmission()).toBe(false);
+            });
+        });
+    });
+
+    describe('Podcast permissions', () => {
+        describe('canCreatePodcast', () => {
+            ['ADMIN', 'ORGANISATION', 'PRODUCTION', 'PODCAST_CRUD', 'RESTRICTED_PRODUCTION', 'RESTRICTED_ANIMATION'].forEach(role => {
+                it(`allows ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canCreatePodcast()).toBe(true);
+                });
+            });
+
+            it('denies unrelated roles', async () => {
+                await setup(['PLAYLISTS']);
+                expect(useRights().canCreatePodcast()).toBe(false);
+            });
+        });
+
+        describe('canDuplicatePodcast', () => {
+            ['ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION'].forEach(role => {
+                it(`allows ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canDuplicatePodcast()).toBe(true);
+                });
+            });
+
+            it('denies unrelated roles', async () => {
+                await setup(['PLAYLISTS']);
+                expect(useRights().canDuplicatePodcast()).toBe(false);
+            });
+        });
+
+        describe('canEditPodcast', () => {
+            const ownPodcast = { podcastId: 1, createdByUserId: 'test-user-123', valid: true } as Podcast;
+            const otherPodcast = { podcastId: 1, createdByUserId: 'other-user', valid: true } as Podcast;
+
+            ['ADMIN', 'ORGANISATION', 'PRODUCTION'].forEach(role => {
+                it(`allows ${role} to edit any podcast`, async () => {
+                    await setup([role]);
+                    expect(useRights().canEditPodcast(otherPodcast)).toBe(true);
+                });
+            });
+
+            it('allows PODCAST_CRUD to edit own non-valid podcast', async () => {
+                await setup(['PODCAST_CRUD']);
+                const podcast = { podcastId: 1, valid: false, publisher: { userId: 'test-user-123' } } as Podcast;
+                expect(useRights().canEditPodcast(podcast)).toBe(true);
+            });
+
+            it('denies PODCAST_CRUD editing own valid podcast', async () => {
+                await setup(['PODCAST_CRUD']);
+                const podcast = { podcastId: 1, valid: true, publisher: { userId: 'test-user-123' } } as Podcast;
+                expect(useRights().canEditPodcast(podcast)).toBe(false);
+            });
+
+            it('denies PODCAST_CRUD editing others\' podcast', async () => {
+                await setup(['PODCAST_CRUD']);
+                const podcast = { podcastId: 1, valid: false, publisher: { userId: 'other-user' } } as Podcast;
+                expect(useRights().canEditPodcast(podcast)).toBe(false);
+            });
+
+            ['RESTRICTED_PRODUCTION', 'RESTRICTED_ANIMATION'].forEach(role => {
+                it(`allows ${role} to edit own podcast`, async () => {
+                    await setup([role]);
+                    expect(useRights().canEditPodcast(ownPodcast)).toBe(true);
+                });
+
+                it(`denies ${role} editing others' podcast`, async () => {
+                    await setup([role]);
+                    expect(useRights().canEditPodcast(otherPodcast)).toBe(false);
+                });
+            });
+
+            it('denies unrelated roles', async () => {
+                await setup(['PLAYLISTS']);
+                expect(useRights().canEditPodcast(ownPodcast)).toBe(false);
+            });
+
+            // Regression: RESTRICTED_* must take priority over PODCAST_CRUD when both roles are present.
+            ['RESTRICTED_PRODUCTION', 'RESTRICTED_ANIMATION'].forEach(role => {
+                it(`allows ${role} + PODCAST_CRUD to edit own valid podcast`, async () => {
+                    await setup([role, 'PODCAST_CRUD']);
+                    const podcast = { podcastId: 1, createdByUserId: 'test-user-123', valid: true, publisher: { userId: 'test-user-123' } } as Podcast;
+                    expect(useRights().canEditPodcast(podcast)).toBe(true);
+                });
+            });
+
+            it('denies RESTRICTED_PRODUCTION + PODCAST_CRUD editing others\' valid podcast', async () => {
+                await setup(['RESTRICTED_PRODUCTION', 'PODCAST_CRUD']);
+                const podcast = { podcastId: 1, createdByUserId: 'other-user', valid: true, publisher: { userId: 'other-user' } } as Podcast;
+                expect(useRights().canEditPodcast(podcast)).toBe(false);
+            });
+        });
+
+        describe('canDeletePodcast', () => {
+            it('delegates to canEditPodcast', async () => {
+                await setup(['RESTRICTED_PRODUCTION']);
+                expect(useRights().canDeletePodcast({ podcastId: 1, createdByUserId: 'test-user-123' } as Podcast)).toBe(true);
+                expect(useRights().canDeletePodcast({ podcastId: 1, createdByUserId: 'other-user' } as Podcast)).toBe(false);
+            });
+        });
+
+        describe('canValidatePodcast', () => {
+            ['ADMIN', 'ORGANISATION', 'PRODUCTION', 'PODCAST_VALIDATION'].forEach(role => {
+                it(`allows ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canValidatePodcast()).toBe(true);
+                });
+            });
+
+            ['PODCAST_CRUD', 'RESTRICTED_PRODUCTION', 'PLAYLISTS'].forEach(role => {
+                it(`denies ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canValidatePodcast()).toBe(false);
+                });
+            });
+        });
+    });
+
+    describe('Playlist permissions', () => {
+        ['canCreatePlaylist', 'canEditPlaylist', 'canDeletePlaylist'].forEach(method => {
+            describe(method, () => {
+                ['ADMIN', 'ORGANISATION', 'PLAYLISTS'].forEach(role => {
+                    it(`allows ${role}`, async () => {
+                        await setup([role]);
+                        expect(useRights()[method as 'canCreatePlaylist']()).toBe(true);
+                    });
+                });
+
+                it('denies unrelated roles', async () => {
+                    await setup(['PRODUCTION']);
+                    expect(useRights()[method as 'canCreatePlaylist']()).toBe(false);
+                });
+            });
+        });
+    });
+
+    describe('Participant permissions', () => {
+        describe('canCreateParticipant', () => {
+            ['ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION'].forEach(role => {
+                it(`allows ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canCreateParticipant()).toBe(true);
+                });
+            });
+
+            it('denies unrelated roles', async () => {
+                await setup(['PLAYLISTS']);
+                expect(useRights().canCreateParticipant()).toBe(false);
+            });
+        });
+
+        ['canEditParticipant', 'canDeleteParticipant'].forEach(method => {
+            describe(method, () => {
+                ['ADMIN', 'ORGANISATION', 'PRODUCTION', 'RESTRICTED_PRODUCTION'].forEach(role => {
+                    it(`allows ${role}`, async () => {
+                        await setup([role]);
+                        expect(await useRights()[method as 'canEditParticipant'](123)).toBe(true);
+                    });
+                });
+
+                it('allows undefined id (new participant)', async () => {
+                    await setup(['RESTRICTED_PRODUCTION']);
+                    expect(await useRights()[method as 'canEditParticipant'](undefined)).toBe(true);
+                });
+
+                it('denies unrelated roles for existing participant', async () => {
+                    await setup(['PLAYLISTS']);
+                    expect(await useRights()[method as 'canEditParticipant'](123)).toBe(false);
+                });
+            });
+        });
+    });
+
+    describe('Other permissions', () => {
+        describe('canEditCodeInsertPlayer', () => {
+            ['ADMIN', 'ORGANISATION'].forEach(role => {
+                it(`allows ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canEditCodeInsertPlayer()).toBe(true);
+                });
+            });
+
+            ['PRODUCTION', 'PODCAST_CRUD', 'RESTRICTED_PRODUCTION', 'PLAYLISTS'].forEach(role => {
+                it(`denies ${role}`, async () => {
+                    await setup([role]);
+                    expect(useRights().canEditCodeInsertPlayer()).toBe(false);
+                });
+            });
+        });
+    });
+});

package/tests/utils.ts

@@ -1,7 +1,7 @@
 import { Component } from 'vue';
 import { vi } from 'vitest';
 import { mount as _mount, VueWrapper } from '@vue/test-utils';
-import { type Pinia, setActivePinia } from 'pinia';
+import { type Pinia, setActivePinia, createPinia } from 'pinia';
 import { createTestingPinia } from '@pinia/testing';
 
 import { useAuthStore } from '../src/stores/AuthStore';
@@ -159,3 +159,14 @@ export function combineStoreSetups(...setups: Array<() => void>) {
 }
 
 export { VueWrapper };
+
+/**
+ * Creates a Pinia instance without mounting a component.
+ * Use this for testing composables or APIs directly.
+ */
+export function setupPinia(setupFn?: () => void | Promise<void>): Pinia {
+    const pinia = createPinia();
+    setActivePinia(pinia);
+    if (setupFn) { setupFn(); }
+    return pinia;
+}