improve auth policy

app/src/main/java/com/android/trisolarispms/core/auth/AuthzPolicy.kt

@@ -26,6 +26,9 @@ class AuthzPolicy(
     fun canRefundBookingPayment(propertyId: String): Boolean =
         hasAnyRole(propertyId, Role.ADMIN, Role.MANAGER)
 
+    fun canManageGuestDocuments(propertyId: String): Boolean =
+        hasAnyRole(propertyId, Role.ADMIN, Role.MANAGER)
+
     fun canManagePropertyUsers(propertyId: String): Boolean = hasRole(propertyId, Role.ADMIN)
 
     fun canCreateBookingFor(propertyId: String): Boolean =

app/src/main/java/com/android/trisolarispms/ui/guestdocs/GuestDocumentsTab.kt

@@ -71,6 +71,7 @@ fun GuestDocumentsTab(
     guestId: String,
     bookingId: String,
     canManageDocuments: Boolean,
+    canModifyDocuments: Boolean,
     viewModel: GuestDocumentsViewModel = viewModel(key = "guestDocs:$propertyId:$guestId")
 ) {
     val state by viewModel.state.collectAsState()
@@ -164,6 +165,13 @@ fun GuestDocumentsTab(
                 Text(text = "You don't have access to view documents.")
                 return@Column
             }
+            if (!canModifyDocuments) {
+                Text(
+                    text = "Read-only: documents can be modified only when booking is OPEN or CHECKED_IN.",
+                    style = MaterialTheme.typography.bodySmall
+                )
+                Spacer(modifier = Modifier.height(8.dp))
+            }
             if (!state.isLoading && state.documents.isEmpty()) {
                 Text(text = "No documents yet")
             }
@@ -190,7 +198,7 @@ fun GuestDocumentsTab(
                         guestId = guestId,
                         doc = doc,
                         imageLoader = imageLoader,
-                        canDelete = canManageDocuments,
+                        canDelete = canModifyDocuments,
                         onDelete = { documentId ->
                             viewModel.deleteDocument(propertyId, guestId, documentId)
                         }
@@ -199,7 +207,7 @@ fun GuestDocumentsTab(
             }
         }
 
-        if (canManageDocuments) {
+        if (canModifyDocuments) {
             FloatingActionButton(
                 onClick = { showPicker.value = true },
                 modifier = Modifier
@@ -214,7 +222,7 @@ fun GuestDocumentsTab(
         }
     }
 
-    if (showPicker.value) {
+    if (showPicker.value && canModifyDocuments) {
         AlertDialog(
             onDismissRequest = { showPicker.value = false },
             title = { Text("Add document") },

app/src/main/java/com/android/trisolarispms/ui/navigation/MainRoutesBooking.kt

@@ -65,7 +65,7 @@ internal fun renderBookingRoutes(
                     bookingId = currentRoute.bookingId
                 )
             },
-            canManageDocuments = authz.canManageRazorpaySettings(currentRoute.propertyId)
+            canManageDocuments = authz.canManageGuestDocuments(currentRoute.propertyId)
         )
 
         is AppRoute.BookingPayments -> BookingPaymentsScreen(

app/src/main/java/com/android/trisolarispms/ui/roomstay/BookingDetailsTabsScreen.kt

@@ -87,6 +87,10 @@ fun BookingDetailsTabsScreen(
     val scope = rememberCoroutineScope()
     val staysState by staysViewModel.state.collectAsState()
     val detailsState by detailsViewModel.state.collectAsState()
+    val canModifyDocuments = canManageDocuments && when (detailsState.details?.status) {
+        "OPEN", "CHECKED_IN" -> true
+        else -> false
+    }
 
     LaunchedEffect(propertyId, bookingId, guestId) {
         staysViewModel.load(propertyId, bookingId)
@@ -164,7 +168,8 @@ fun BookingDetailsTabsScreen(
                                 propertyId = propertyId,
                                 guestId = resolvedGuestId,
                                 bookingId = bookingId,
-                                canManageDocuments = canManageDocuments
+                                canManageDocuments = canManageDocuments,
+                                canModifyDocuments = canModifyDocuments
                             )
                         } else {
                             Box(