From ca9edcd038882c98e4d92b39cb313a9f17d238d0 Mon Sep 17 00:00:00 2001
From: Matt <matt@Matt-Surface.local>
Date: Thu, 4 Jun 2026 15:15:14 +0200
Subject: [PATCH] fix(lunch): allow non-admins to read dish list (unblocks
 applicant picker)

---
 src/server/routers/lunch.ts               |  2 +-
 tests/unit/lunch-list-dishes-perm.test.ts | 35 +++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 tests/unit/lunch-list-dishes-perm.test.ts

diff --git a/src/server/routers/lunch.ts b/src/server/routers/lunch.ts
index ebeb807..2855066 100644
--- a/src/server/routers/lunch.ts
+++ b/src/server/routers/lunch.ts
@@ -39,7 +39,7 @@ export const lunchRouter = router({
 
   // ─── Dish CRUD ────────────────────────────────────────────────────────────
 
-  listDishes: adminProcedure
+  listDishes: protectedProcedure
     .input(z.object({ lunchEventId: z.string() }))
     .query(({ ctx, input }) =>
       ctx.prisma.dish.findMany({
diff --git a/tests/unit/lunch-list-dishes-perm.test.ts b/tests/unit/lunch-list-dishes-perm.test.ts
new file mode 100644
index 0000000..7fb6da4
--- /dev/null
+++ b/tests/unit/lunch-list-dishes-perm.test.ts
@@ -0,0 +1,35 @@
+import { afterAll, describe, expect, it } from 'vitest'
+import { prisma, createCaller } from '../setup'
+import { createTestUser, createTestProgram, cleanupTestData, uid } from '../helpers'
+import { lunchRouter } from '@/server/routers/lunch'
+
+describe('lunch.listDishes permission', () => {
+  const programIds: string[] = []
+  const userIds: string[] = []
+  afterAll(async () => {
+    for (const id of programIds) {
+      await prisma.dish.deleteMany({ where: { lunchEvent: { programId: id } } })
+      await prisma.lunchEvent.deleteMany({ where: { programId: id } })
+      await cleanupTestData(id, [])
+    }
+    if (userIds.length) await prisma.user.deleteMany({ where: { id: { in: userIds } } })
+  })
+
+  it('lets a non-admin (APPLICANT) read the dish list', async () => {
+    const program = await createTestProgram({ name: `dish-perm-${uid()}` })
+    programIds.push(program.id)
+    const event = await prisma.lunchEvent.create({
+      data: { programId: program.id, enabled: true },
+    })
+    await prisma.dish.create({ data: { lunchEventId: event.id, name: 'Sea bass', sortOrder: 0 } })
+
+    const applicant = await createTestUser('APPLICANT')
+    userIds.push(applicant.id)
+    const caller = createCaller(lunchRouter, {
+      id: applicant.id, email: applicant.email, role: 'APPLICANT',
+    })
+    const dishes = await caller.listDishes({ lunchEventId: event.id })
+    expect(dishes).toHaveLength(1)
+    expect(dishes[0].name).toBe('Sea bass')
+  })
+})