From f98792f10baf60d50d1bafa64df8edbf13723fc5 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sun, 22 Mar 2026 23:01:45 +0100
Subject: [PATCH] fix(permissions): redirect read-only users from
 /documents/new to home

throw error(403) kept the URL at /documents/new (the error page renders
in-place). Changed to throw redirect(303, '/') so the URL actually changes,
matching the E2E test expectation that a read-only user is redirected away.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/routes/documents/new/+page.server.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/src/routes/documents/new/+page.server.ts b/frontend/src/routes/documents/new/+page.server.ts
index 6ef92f14..605a74e5 100644
--- a/frontend/src/routes/documents/new/+page.server.ts
+++ b/frontend/src/routes/documents/new/+page.server.ts
@@ -1,4 +1,4 @@
-import { error, fail, redirect } from '@sveltejs/kit';
+import { fail, redirect } from '@sveltejs/kit';
 import { env } from '$env/dynamic/private';
 import { createApiClient } from '$lib/api.server';
 import { parseBackendError, getErrorMessage } from '$lib/errors';
@@ -16,7 +16,7 @@ export async function load({
 		locals.user?.groups?.some((g: { permissions: string[] }) =>
 			g.permissions.includes('WRITE_ALL')
 		) ?? false;
-	if (!canWrite) throw error(403, 'Forbidden');
+	if (!canWrite) throw redirect(303, '/');
 
 	const senderId = url.searchParams.get('senderId') || '';
 	const receiverId = url.searchParams.get('receiverId') || '';