Hide subscription settings page if user doesn't have permission to manage subscriptions

CHANGELOG.md

@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 
 - Improved username validation.
+- Hide subscription settings page if user doesn't have permission to manage subscriptions.
 
 ### Fixed
 

src/api/users.ts

@@ -32,6 +32,7 @@ interface Role {
 
 export enum Permissions {
   CreatePost = "create_post",
+  ManageSubscriptionOptions = "manage_subscription_options",
 }
 
 export interface Profile {

src/components/Sidebar.vue

@@ -16,7 +16,7 @@
       <span>Profile directory</span>
     </router-link>
     <router-link
-      v-if="isSubscriptionsFeatureEnabled()"
+      v-if="canManageSubscriptions()"
       class="sidebar-link"
       :to="{ name: 'subscriptions-settings' }"
     >
@@ -43,6 +43,7 @@ import { onMounted } from "vue"
 import { $, $computed } from "vue/macros"
 import { useRouter } from "vue-router"
 
+import { Permissions } from "@/api/users"
 import { useNotifications } from "@/store/notifications"
 import { useCurrentUser } from "@/store/user"
 import { useInstanceInfo } from "@/store/instance"
@@ -71,9 +72,14 @@ const unreadNotificationCount = $computed<number>(() => {
   return getUnreadNotificationCount()
 })
 
-function isSubscriptionsFeatureEnabled(): boolean {
+function canManageSubscriptions(): boolean {
   const blockchain = instance?.blockchains[0]
-  return Boolean(blockchain?.features.subscriptions)
+  const isSubscriptionsFeatureEnabled = Boolean(blockchain?.features.subscriptions)
+  return (
+    isSubscriptionsFeatureEnabled &&
+    currentUser !== null &&
+    currentUser.role.permissions.includes(Permissions.ManageSubscriptionOptions)
+  )
 }
 
 async function logout() {

src/router/index.ts

@@ -20,6 +20,7 @@ import SearchResultList from "@/views/SearchResultList.vue"
 import SubscriptionPage from "@/views/SubscriptionPage.vue"
 import SubscriptionsSettings from "@/views/SubscriptionsSettings.vue"
 
+import { Permissions } from "@/api/users"
 import { useCurrentUser } from "@/store/user"
 
 async function authGuard(to: any) {
@@ -152,6 +153,12 @@ const routes: Array<RouteRecordRaw> = [
     name: "subscriptions-settings",
     component: SubscriptionsSettings,
     meta: { onlyAuthenticated: true },
+    beforeEnter: () => {
+      const { ensureCurrentUser } = useCurrentUser()
+      return ensureCurrentUser()
+        .role.permissions
+        .includes(Permissions.ManageSubscriptionOptions)
+    },
   },
   {
     path: "/@:acct(.*)",

src/views/Profile.vue

@@ -259,6 +259,7 @@ import { getReceivedSubscriptions } from "@/api/subscriptions-common"
 import {
   getProfile,
   lookupProfile,
+  Permissions,
   Profile,
   ProfileField,
   ProfileWrapper,
@@ -541,7 +542,9 @@ function canManageSubscriptions(): boolean {
   return (
     isSubscriptionsFeatureEnabled() &&
     profile !== null &&
-    isCurrentUser()
+    currentUser !== null &&
+    isCurrentUser() &&
+    currentUser.role.permissions.includes(Permissions.ManageSubscriptionOptions)
   )
 }