refactor(auth): unify authorization patterns with MANAGE_OWN_PROFILE permission

Issue #2: The profile route used a custom role-based check instead
of the permission-based pattern used everywhere else.

Changes:
- Add MANAGE_OWN_PROFILE permission to backend Permission enum
- Add permission to ROLE_REGULAR role definition
- Update profile routes to use require_permission(MANAGE_OWN_PROFILE)
- Remove custom require_regular_user dependency
- Update frontend Permission constant and profile page
- Update invites page to use permission instead of role check
- Update profile tests with proper permission mocking

This ensures consistent authorization patterns across all routes.

backend/models.py

@@ -40,6 +40,9 @@ class Permission(str, PyEnum):
     # Audit permissions
     VIEW_AUDIT = "view_audit"
 
+    # Profile permissions
+    MANAGE_OWN_PROFILE = "manage_own_profile"
+
     # Invite permissions
     MANAGE_INVITES = "manage_invites"
     VIEW_OWN_INVITES = "view_own_invites"
@@ -93,6 +96,7 @@ ROLE_DEFINITIONS: dict[str, RoleConfig] = {
             Permission.VIEW_COUNTER,
             Permission.INCREMENT_COUNTER,
             Permission.USE_SUM,
+            Permission.MANAGE_OWN_PROFILE,
             Permission.VIEW_OWN_INVITES,
             Permission.BOOK_APPOINTMENT,
             Permission.VIEW_OWN_APPOINTMENTS,

backend/routes/profile.py

@@ -1,30 +1,18 @@
 """Profile routes for user contact details."""
 
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from auth import get_current_user
+from auth import require_permission
 from database import get_db
-from models import ROLE_REGULAR, User
+from models import Permission, User
 from schemas import ProfileResponse, ProfileUpdate
 from validation import validate_profile_fields
 
 router = APIRouter(prefix="/api/profile", tags=["profile"])
 
 
-async def require_regular_user(
-    current_user: User = Depends(get_current_user),
-) -> User:
-    """Dependency that requires the user to have the 'regular' role."""
-    if ROLE_REGULAR not in current_user.role_names:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Profile access is only available to regular users",
-        )
-    return current_user
-
-
 async def get_godfather_email(db: AsyncSession, godfather_id: int | None) -> str | None:
     """Get the email of a godfather user by ID."""
     if not godfather_id:
@@ -35,7 +23,7 @@ async def get_godfather_email(db: AsyncSession, godfather_id: int | None) -> str
 
 @router.get("", response_model=ProfileResponse)
 async def get_profile(
-    current_user: User = Depends(require_regular_user),
+    current_user: User = Depends(require_permission(Permission.MANAGE_OWN_PROFILE)),
     db: AsyncSession = Depends(get_db),
 ) -> ProfileResponse:
     """Get the current user's profile (contact details and godfather)."""
@@ -54,7 +42,7 @@ async def get_profile(
 async def update_profile(
     data: ProfileUpdate,
     db: AsyncSession = Depends(get_db),
-    current_user: User = Depends(require_regular_user),
+    current_user: User = Depends(require_permission(Permission.MANAGE_OWN_PROFILE)),
 ) -> ProfileResponse:
     """Update the current user's profile (contact details)."""
     # Validate all fields

backend/tests/test_profile.py

@@ -166,12 +166,12 @@ class TestGetProfileEndpoint:
         assert data["nostr_npub"] is None
 
     async def test_admin_user_cannot_access_profile(self, client_factory, admin_user):
-        """Admin user gets 403 when trying to access profile."""
+        """Admin user gets 403 when trying to access profile (lacks MANAGE_OWN_PROFILE)."""
         async with client_factory.create(cookies=admin_user["cookies"]) as client:
             response = await client.get("/api/profile")
 
         assert response.status_code == 403
-        assert "regular users" in response.json()["detail"].lower()
+        assert "manage_own_profile" in response.json()["detail"].lower()
 
     async def test_unauthenticated_user_gets_401(self, client_factory):
         """Unauthenticated user gets 401."""

frontend/app/auth-context.tsx

@@ -13,6 +13,7 @@ export const Permission = {
   INCREMENT_COUNTER: "increment_counter",
   USE_SUM: "use_sum",
   VIEW_AUDIT: "view_audit",
+  MANAGE_OWN_PROFILE: "manage_own_profile",
   MANAGE_INVITES: "manage_invites",
   VIEW_OWN_INVITES: "view_own_invites",
   // Booking permissions (regular users)

frontend/app/invites/page.tsx

@@ -6,6 +6,7 @@ import { Header } from "../components/Header";
 import { useRequireAuth } from "../hooks/useRequireAuth";
 import { components } from "../generated/api";
 import constants from "../../../shared/constants.json";
+import { Permission } from "../auth-context";
 import {
   layoutStyles,
   cardStyles,
@@ -19,7 +20,7 @@ type Invite = components["schemas"]["UserInviteResponse"];
 
 export default function InvitesPage() {
   const { user, isLoading, isAuthorized } = useRequireAuth({
-    requiredRole: constants.roles.REGULAR,
+    requiredPermission: Permission.VIEW_OWN_INVITES,
     fallbackRedirect: "/audit",
   });
   const [invites, setInvites] = useState<Invite[]>([]);

frontend/app/profile/page.test.tsx

@@ -15,11 +15,14 @@ let mockUser: { id: number; email: string; roles: string[]; permissions: string[
   id: 1,
   email: "test@example.com",
   roles: ["regular"],
-  permissions: ["view_counter", "increment_counter", "use_sum"],
+  permissions: ["view_counter", "increment_counter", "use_sum", "manage_own_profile"],
 };
 let mockIsLoading = false;
 const mockLogout = vi.fn();
 const mockHasRole = vi.fn((role: string) => mockUser?.roles.includes(role) ?? false);
+const mockHasPermission = vi.fn(
+  (permission: string) => mockUser?.permissions.includes(permission) ?? false
+);
 
 vi.mock("../auth-context", () => ({
   useAuth: () => ({
@@ -27,7 +30,23 @@ vi.mock("../auth-context", () => ({
     isLoading: mockIsLoading,
     logout: mockLogout,
     hasRole: mockHasRole,
+    hasPermission: mockHasPermission,
   }),
+  Permission: {
+    VIEW_COUNTER: "view_counter",
+    INCREMENT_COUNTER: "increment_counter",
+    USE_SUM: "use_sum",
+    VIEW_AUDIT: "view_audit",
+    MANAGE_OWN_PROFILE: "manage_own_profile",
+    MANAGE_INVITES: "manage_invites",
+    VIEW_OWN_INVITES: "view_own_invites",
+    BOOK_APPOINTMENT: "book_appointment",
+    VIEW_OWN_APPOINTMENTS: "view_own_appointments",
+    CANCEL_OWN_APPOINTMENT: "cancel_own_appointment",
+    MANAGE_AVAILABILITY: "manage_availability",
+    VIEW_ALL_APPOINTMENTS: "view_all_appointments",
+    CANCEL_ANY_APPOINTMENT: "cancel_any_appointment",
+  },
 }));
 
 // Mock profile data
@@ -45,10 +64,13 @@ beforeEach(() => {
     id: 1,
     email: "test@example.com",
     roles: ["regular"],
-    permissions: ["view_counter", "increment_counter", "use_sum"],
+    permissions: ["view_counter", "increment_counter", "use_sum", "manage_own_profile"],
   };
   mockIsLoading = false;
   mockHasRole.mockImplementation((role: string) => mockUser?.roles.includes(role) ?? false);
+  mockHasPermission.mockImplementation(
+    (permission: string) => mockUser?.permissions.includes(permission) ?? false
+  );
 });
 
 afterEach(() => {

frontend/app/profile/page.tsx

@@ -7,6 +7,7 @@ import { Header } from "../components/Header";
 import { useRequireAuth } from "../hooks/useRequireAuth";
 import { components } from "../generated/api";
 import constants from "../../../shared/constants.json";
+import { Permission } from "../auth-context";
 import {
   layoutStyles,
   cardStyles,
@@ -121,7 +122,7 @@ function toFormData(data: ProfileData): FormData {
 
 export default function ProfilePage() {
   const { user, isLoading, isAuthorized } = useRequireAuth({
-    requiredRole: constants.roles.REGULAR,
+    requiredPermission: Permission.MANAGE_OWN_PROFILE,
     fallbackRedirect: "/audit",
   });
   const [originalData, setOriginalData] = useState<FormData | null>(null);