Implement Role Switch Support for Multi-Role Users
epic-role-based-access-control-state-and-services-task-008 — Extend RoleStateManager with switchRole(newRole) that validates the requested role is in the user's available roles list before switching, emits the new RoleState, and triggers reactive updates downstream. Expose an availableRolesStream so UI components (role switch widget) can display only roles the user actually holds. Ensure org/chapter scoping is preserved when switching between coordinator and peerMentor roles within NHF's multi-chapter structure.
Acceptance Criteria
Technical Requirements
Execution Context
Tier 4 - 323 tasks
Can start after Tier 3 completes
Implementation Notes
RoleState should be a data class: RoleState({required UserRole activeRole, required List
Use Riverpod's StateNotifier or AsyncNotifier pattern. The availableRolesStream is simply the StateNotifier's stream mapped to state.availableRoles. For NHF users with up to 5 chapter memberships, availableRoles may contain multiple RoleWithScope entries for the same UserRole — the switch UI should display chapter names, not just role names, to disambiguate.
Testing Requirements
Unit tests with flutter_test: test switchRole with valid role → assert state emission. Test switchRole with role not in availableRoles → assert unauthorized result and no state change. Test no-op for same role. Test availableRolesStream emits correct list for single-role and multi-role users.
Test chapter scoping preserved after switch by asserting activeChapterId unchanged. Test concurrent calls with delayed mock to ensure no race condition. Widget test: mount RoleSwitchWidget with a mocked stream, assert only available roles are rendered. Target 90%+ coverage.
A coordinator's permissions could be revoked by an admin while they are actively using the app. If the permission checker relies solely on the cached role state from login, the coordinator could continue performing actions they are no longer authorized for until the next login.
Mitigation & Contingency
Mitigation: The Permission Checker Service must re-validate against the Role Repository (not just in-memory state) before high-impact actions. Implement a configurable staleness window (e.g., 15 minutes) after which role data is refreshed from Supabase in the background.
Contingency: If a revoked permission is detected during a pre-action check, immediately clear the cached role state, force a re-resolution from Supabase, and display an inline error explaining the permission change rather than crashing or silently failing.
Using both BLoC and Riverpod in the same state management layer for roles risks state synchronization bugs where one system updates before the other, causing widgets to render with stale role data during the switch transition.
Mitigation & Contingency
Mitigation: Choose a single primary state management approach (Riverpod StateNotifier is recommended) for role state and wrap the BLoC pattern within it if legacy code requires BLoC interfaces. Establish a single source-of-truth provider that all consumers read from.
Contingency: If synchronization bugs appear during integration testing, introduce a RoleStateReady gate widget that delays rendering of role-dependent UI until the state notifier emits a confirmed resolved state, preventing partial renders.
Hardcoded permission constants per role can become a maintenance burden as new features are added across 61 total features, leading to permission definitions that are scattered, stale, or inconsistent.
Mitigation & Contingency
Mitigation: Centralize all role-permission mappings in a single RolePermissions constants file with named action keys. Enforce that no widget or service directly checks role type strings; all checks must go through the Permission Checker Service.
Contingency: If permission definitions drift out of sync, introduce a validation test suite that cross-references all registered permission constants against their usage sites and fails the CI build if an undefined permission key is referenced.