Restrict marking a bill paid to admins only, per requirement.
- BillDetailPage: gate Mark Paid / Mark Unpaid on useAuth().isAdmin
(was only hidden in board view).
- BillApprovalsPage: gate Print Checks (which sets bills to paid) on isAdmin.
- Migration: BEFORE INSERT/UPDATE trigger enforce_admin_marks_bill_paid()
rejects the transition into 'paid' for authenticated non-admins. Service-role
/ system contexts (auth.uid() null: buildium-sync, accounting triggers,
autopay) remain allowed. Verified: admin allowed, non-admin blocked (23514).
Note: the approver column showing "None" in production is a stale-deploy
issue — the DB column was renamed vendor_name->approver_name (Jun 4) but
prod still ran code querying vendor_name. Deploying current main resolves it.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
