backend/routers/content_reports.py

@@ -867,6 +867,13 @@ def set_legal_hold_from_report(
     pid = tenant.profile_id
     role = tenant.global_role
 
+    # Plattform-Admin ohne Superadmin hat keine Legal-Hold-Rechte (fruehzeitig ablehnen)
+    if is_platform_admin(role) and not is_superadmin(role):
+        raise HTTPException(
+            status_code=403,
+            detail="Legal Hold erfordert Superadmin oder Vereinsadmin-Rechte",
+        )
+
     with get_db() as conn:
         cur = get_cursor(conn)
         cur.execute(

backend/tests/test_p13_content_reports.py

@@ -208,8 +208,22 @@ def test_list_inbox_requires_platform_admin():
     from routers.content_reports import list_inbox_content_reports
     tenant = MagicMock()
     tenant.global_role = "trainer"
-    with pytest.raises(HTTPException) as exc:
+    tenant.profile_id = 99
-        list_inbox_content_reports(tenant=tenant)
+
+    # COUNT-Abfrage fuer Club-Admin-Rollen → 0 → 403
+    cnt_row = _row({"cnt": 0})
+    mock_cur = MagicMock()
+    mock_cur.fetchone.return_value = cnt_row
+
+    mock_conn = MagicMock()
+    mock_conn_ctx = MagicMock()
+    mock_conn_ctx.__enter__ = MagicMock(return_value=mock_conn)
+    mock_conn_ctx.__exit__ = MagicMock(return_value=False)
+
+    with patch("routers.content_reports.get_db", return_value=mock_conn_ctx), \
+         patch("routers.content_reports.get_cursor", return_value=mock_cur):
+        with pytest.raises(HTTPException) as exc:
+            list_inbox_content_reports(tenant=tenant)
     assert exc.value.status_code == 403
 
 
@@ -252,8 +266,11 @@ def test_patch_report_under_review():
     body = ContentReportPatch(status="under_review")
 
     existing_row = MagicMock()
-    existing_row.__getitem__ = lambda s, k: {"id": 5, "status": "submitted"}[k]
+    existing_row.__getitem__ = lambda s, k: {
-    existing_row.keys = lambda: ["id", "status"]
+        "id": 5, "status": "submitted",
+        "target_type": "media_asset", "target_id": 42, "resolution_note": None,
+    }[k]
+    existing_row.keys = lambda: ["id", "status", "target_type", "target_id", "resolution_note"]
 
     updated_row = MagicMock()
     updated_row.__getitem__ = lambda s, k: {"id": 5, "status": "under_review"}[k]

backend/version.py

@@ -1,6 +1,6 @@
 # Shinkan Jinkendo Version Information
 
-APP_VERSION = "0.8.93"
+APP_VERSION = "0.8.94"
 BUILD_DATE = "2026-05-11"
 DB_SCHEMA_VERSION = "20260511053"
 
@@ -30,10 +30,18 @@ MODULE_VERSIONS = {
     "membership": "1.0.0",
     "catalogs": "1.5.0",  # Updated: Trainer Contexts API (Migration 012)
     "maturity_models": "1.4.0",  # matrix_stack_bundle: vollständiger Katalog+Modelle+Bindings Export/Import
-    "content_reports": "1.5.0",  # P-13: Club-Admin Bearbeitung + Legal Hold (Vereinsebene), Archiv-Trennung
+    "content_reports": "1.5.1",  # P-13: Fruehzeitige 403 fuer plain Admin in set_legal_hold_from_report (CI-Fix)
 }
 
 CHANGELOG = [
+    {
+        "version": "0.8.94",
+        "date": "2026-05-11",
+        "changes": [
+            "Fix P-13: set_legal_hold_from_report wirft 403 fuer plain Admin vor DB-Zugriff (CI-Testkonsistenz).",
+            "Fix P-13: Tests test_list_inbox_requires_platform_admin und test_patch_report_under_review repariert.",
+        ],
+    },
     {
         "version": "0.8.93",
         "date": "2026-05-11",

frontend/src/version.js

@@ -1,6 +1,6 @@
 // Shinkan Jinkendo Frontend Version
 
-export const APP_VERSION = "0.8.93"
+export const APP_VERSION = "0.8.94"
 export const BUILD_DATE = "2026-05-11"
 
 export const PAGE_VERSIONS = {