Add authorization checks to Instagram API endpoint for event posting

[Copilot]

Summary

Modified the /api/events/:id/instagram-post API endpoint to add proper authorization checks as required.

Changes

• Add authorization checks to postCarouselToInstagramApi method
  • Verify event is public (visibility_id == 3)
  • Verify user owns event OR has admin/super_admin permission
  • Return 401 Unauthorized HTTP status code if checks fail
• Create comprehensive test coverage for all authorization scenarios
  • Test owner can post their own public event (with Instagram mocks)
  • Test private events cannot be posted (with Instagram mocks)
  • Test non-owner/non-admin cannot post public events (with Instagram mocks)
  • Test admin can post any public event (with Instagram mocks)
  • Test super_admin can post any public event (with Instagram mocks)

Authorization Requirements

The endpoint now enforces:

1. User must be authenticated (existing middleware)
2. Event must be PUBLIC (visibility_id === 3)
3. User must EITHER own the event OR have admin/super_admin group membership

HTTP Responses

• 200 OK - Successfully posted to Instagram
• 401 Unauthorized - Event is not public OR user doesn't own event and isn't admin
• 404 Not Found - Event doesn't exist
• 400 Bad Request - Instagram API errors

Testing

All tests now use Instagram mocks to avoid requiring actual Instagram API access during testing.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Improve the API endpoints to post to instagram</issue_title>
<issue_description>Modify the authorization for users hitting the /api/events/:id/instagram-post API endpoint.
The event must be public, the user must be authenticated, and the user must either own the event OR have admin permission.

If they do not, return an unauthorized http code.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #1555

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[geoff-maddock]

@copilot The new test is failing because it won't be able to post to instagram in this environment.
Instead use mocks to provide responses that can be tested against

[Copilot]

@copilot The new test is failing because it won't be able to post to instagram in this environment.
Instead use mocks to provide responses that can be tested against

Added Instagram mocks to all authorization failure tests to prevent any Instagram API calls during testing. Also restored the $seed = true setting. Changes in commit dcc86ca.

[geoff-maddock]

Deployed and tested this, and it failed. Needs more testing