From 74bc3073a757b9d58f38fb470f4fc0aef3538bd9 Mon Sep 17 00:00:00 2001
From: Hyko <punk.flag8609@fastmail.com>
Date: Sat, 25 Apr 2026 09:31:54 -0400
Subject: [PATCH] feat(admin): add permission-based widget visibility on
 dashboard

- add optional `permission` field to `registerWidget` api
- filter widgets in `DashboardPage` based on user permissions
- register users widget with `users.view` permission requirement
- document `permission` parameter in admin README
---
 src/features/admin/README.md                     | 3 ++-
 src/features/admin/pages/DashboardPage.client.js | 5 +++--
 src/features/admin/registry.js                   | 4 ++--
 src/features/admin/widgets/users.client.js       | 2 +-
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/features/admin/README.md b/src/features/admin/README.md
index 778642c..2b210a8 100644
--- a/src/features/admin/README.md
+++ b/src/features/admin/README.md
@@ -160,13 +160,14 @@ Le composant reçoit `data` (retour du fetcher) et `loading` (booléen). Si le f
 | `id` | `string` | Identifiant unique du widget |
 | `fetcher` | `async () => object` | Fonction serveur qui retourne les données |
 
-**`registerWidget({ id, Component, order? })`**
+**`registerWidget({ id, Component, order?, permission? })`**
 
 | Paramètre | Type | Description |
 |-----------|------|-------------|
 | `id` | `string` | Identifiant unique (doit correspondre au fetcher) |
 | `Component` | `ReactComponent` | Composant client affiché dans le tableau de bord |
 | `order` | `number` | Position dans la grille (défaut : `0`) |
+| `permission` | `string` | Clé de permission requise pour voir ce widget (ex. `'users.view'`). Le widget est masqué si l'utilisateur ne possède pas cette permission. |
 
 ---
 
diff --git a/src/features/admin/pages/DashboardPage.client.js b/src/features/admin/pages/DashboardPage.client.js
index 5edc84b..f106f73 100644
--- a/src/features/admin/pages/DashboardPage.client.js
+++ b/src/features/admin/pages/DashboardPage.client.js
@@ -3,9 +3,10 @@
 import { getWidgets, registerPage } from '../registry.js';
 import AdminHeader from '../components/AdminHeader.js';
 
-export default function DashboardPage({ stats }) {
+export default function DashboardPage({ user, stats }) {
   const loading = stats === null || stats === undefined;
-  const widgets = getWidgets();
+  const permissions = user?.permissions ?? [];
+  const widgets = getWidgets().filter(w => !w.permission || permissions.includes(w.permission));
 
   return (
     <div className="flex flex-col gap-4 sm:gap-6 lg:gap-8">
diff --git a/src/features/admin/registry.js b/src/features/admin/registry.js
index 5e6e784..25e306e 100644
--- a/src/features/admin/registry.js
+++ b/src/features/admin/registry.js
@@ -25,8 +25,8 @@ export function registerWidgetFetcher(id, fetcher) {
   widgetFetchers.set(id, fetcher);
 }
 
-export function registerWidget({ id, Component, order = 0 }) {
-  widgetComponents.set(id, { Component, order });
+export function registerWidget({ id, Component, order = 0, permission }) {
+  widgetComponents.set(id, { Component, order, permission });
 }
 
 export function getWidgets() {
diff --git a/src/features/admin/widgets/users.client.js b/src/features/admin/widgets/users.client.js
index bea1133..f6baa45 100644
--- a/src/features/admin/widgets/users.client.js
+++ b/src/features/admin/widgets/users.client.js
@@ -20,4 +20,4 @@ function UsersWidget({ data, loading }) {
   );
 }
 
-registerWidget({ id: 'users', Component: UsersWidget, order: 10 });
+registerWidget({ id: 'users', Component: UsersWidget, order: 10, permission: 'users.view' });