fix(opportunities): hide checkboxes + action bar for viewer role

[cristim]

Summary

QA Viewer Role 2.3 + 2.4: Viewer role users could click rows on the Opportunities table and toggle per-row + Select-all checkboxes, even though Viewer has no purchase/plan actions. The checkboxes were misleading affordances.

Fix

For role === 'viewer':

• Per-row + Select-all checkbox column hidden.
• Row click handler skipped (inert).
• Bottom action bar ("Plan from X selected", "Purchase X selected") not rendered.

Admin/operator roles unchanged.

Files changed

• frontend/src/recommendations.ts
• frontend/src/__tests__/recommendations-permissions.test.ts

Test plan

• 12 permission tests pass; 336 recommendations tests overall pass.
• Manual: log in as viewer, open Opportunities, confirm no checkboxes + no action bar.

Closes #869.

Summary by CodeRabbit

• New Features

  • Readonly/viewer users now see recommendations without selection checkboxes or row-click interactions, providing a cleaner, view-only experience.

• Tests

  • Added permission-gating tests verifying readonly users cannot access selection UI while admin and regular users retain full selection capabilities.

[coderabbitai]

Warning

Review limit reached

@cristim, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 11 minutes and 41 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9e7990da-e436-4fc9-92e0-1c15f61d3dba

📥 Commits

Reviewing files that changed from the base of the PR and between 4c4b2a4 and 88eacb9.

📒 Files selected for processing (2)

• frontend/src/__tests__/recommendations-permissions.test.ts
• frontend/src/recommendations.ts

📝 Walkthrough

Walkthrough

The PR adds permission-based gating to the recommendations table's selection UI. Viewer/readonly sessions now render without checkboxes or row-click selection affordances by introducing a canActOnRecommendations() permission check that gates the checkbox column and wires selection handlers only for authorized roles.

Changes

Readonly Selection UI Gating

Layer / File(s)	Summary
Permission check helper frontend/src/recommendations.ts	New canActOnRecommendations() determines whether the session has execute/create permissions for purchases or plans, serving as the master gate for selection UI visibility.
Checkbox render flag threading frontend/src/recommendations.ts	buildVariantRowMarkup and buildListMarkup accept a showCheckboxes flag to conditionally omit per-row checkbox cells and header select-all checkboxes. Tri-state checkbox logic is computed only when checkboxes are shown, and empty-results colspan is adjusted for the optional column.
Selection handler and main render integration frontend/src/recommendations.ts	renderRecommendationsList() computes showCheckboxes from the permission check and threads it through markup builders. Select-all change, per-row checkbox enforcement, and row-click-to-toggle handlers are wrapped in a showCheckboxes guard so readonly sessions skip all selection wiring.
Permission-based checkbox and row-click tests frontend/src/__tests__/recommendations-permissions.test.ts	New test suite for issue #869 verifies that readonly role omits checkboxes from the DOM and does not trigger selection state on row clicks, while admin/user roles retain full selection UI and behavior. File-level documentation and test fixtures updated.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• LeanerCloud/CUDly#352: Modifies row-click selection behavior in recommendations.ts (changes to toggle-selection action vs. detail drawer); main PR conditionally disables the selection UI entirely for viewer sessions.
• LeanerCloud/CUDly#231: Modifies select-all and per-row checkbox enforcement logic in recommendations.ts; main PR gates those handlers behind a permission flag.
• LeanerCloud/CUDly#326: Modifies buildListMarkup and buildVariantRowMarkup table rendering via dynamic column visibility; main PR uses a simpler showCheckboxes flag for the same code paths.

Poem

🐰 A checkbox glimmers for every role with power,
But viewer eyes find naught but empty table rows—
No select-all, no click, no false affordance shower,
Just quiet, truthful UI that honestly shows.
Per-role permissions guard the UI throne.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and accurately summarizes the main change: hiding checkboxes and action bar for the viewer role in opportunities.
Linked Issues check	✅ Passed	The code changes fully implement issue #869 requirements: checkboxes hidden for viewer role, row clicks made inert, and new test coverage for viewer permission scenarios.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #869: hiding checkboxes and disabling row interactions for viewer role with corresponding test additions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/869-viewer-opportunities-inert

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/src/__tests__/recommendations-permissions.test.ts`:
- Around line 86-101: Add a new readonly unit test that exercises
grouped-row/multi-variant rendering by creating a fixture with two variant
objects that share the same cell key (e.g., clone sampleRec twice with different
variant identifiers but identical cell key), render the recommendations
component/table in readonly mode (use the same test helpers used elsewhere in
this file), and assert that the header and body column counts remain equal and
that no extra leading checkbox column is rendered (i.e., verify
header.columns.length === body.row.columns.length and there is no checkbox
column at index 0). Place this alongside the existing single-row tests (also
update tests covering lines ~160-225 similarly) so grouped-row rendering is
covered.

In `@frontend/src/recommendations.ts`:
- Around line 2483-2484: The summary rows for multi-variant/grouped displays
still emit a leading <td class="checkbox-col"> even when the showCheckboxes
parameter is false, causing column misalignment; update the rendering logic
wherever summary/group rows are built (the function that accepts the
showCheckboxes parameter) to conditionally include that checkbox/chevron <td>
only when showCheckboxes === true—apply the same fix to the other occurrences
mentioned (around the blocks at the ranges you noted) so header and all row
types stay aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ac6b46bc-8a14-419d-9db9-4405618357ed

📥 Commits

Reviewing files that changed from the base of the PR and between 4956d66 and 4c4b2a4.

📒 Files selected for processing (2)

• frontend/src/__tests__/recommendations-permissions.test.ts
• frontend/src/recommendations.ts

[cristim]

Addressed both CR findings in 88eacb9. @coderabbitai review

[coderabbitai]

@cristim Thanks for the update — triggering a review of commit 88eacb9dc now!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.