refactor(timeline): single-source the curator edit gate via canEditEvent

The security-relevant edit-affordance gate (canWrite && !derived && eventId != null) was copied into EventPill, WorldBand, and EventCluster — three places for one load-bearing contract, inviting drift. It now lives once as canEditEvent(entry, canWrite) in eventCardConfig, and all three call it. No behavior change (HISTORICAL is never derived, so WorldBand's gate is unchanged). First half of review finding #5 (Architect-1). Refs #850 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 22:36:49 +02:00
parent 81e0dfb9e6
commit d450f97bff
5 changed files with 43 additions and 9 deletions
--- a/frontend/src/lib/timeline/EventPill.svelte
+++ b/frontend/src/lib/timeline/EventPill.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
 import * as m from '$lib/paraglide/messages.js';
-import { getAccentConfig } from './eventCardConfig';
+import { getAccentConfig, canEditEvent } from './eventCardConfig';
 import { timelineDateLabel } from './dateLabel';
 import type { components } from '$lib/generated/api';

@@ -26,7 +26,7 @@ const provenance = $derived(
 // Provenance always shows; the date is an optional prefix so an undated event
 // still reads "abgeleitet"/"kuratiert" (REQ-007).
 const subtitle = $derived(dateLabel ? `${dateLabel} · ${provenance}` : provenance);
-const canEdit = $derived(canWrite && !entry.derived && entry.eventId != null);
+const canEdit = $derived(canEditEvent(entry, canWrite));
 </script>

 <div class="flex justify-center">