update

2026-03-16 14:41:08 +01:00
parent 5f329bb5c1
commit 215528a521
46 changed files with 462 additions and 251 deletions
--- a/backend/src/middleware/rbac.middleware.ts
+++ b/backend/src/middleware/rbac.middleware.ts
@@ -69,7 +69,7 @@ const PERMISSION_ROLE_MIN: Record<string, AppRole> = {
 function roleFromGroups(groups: string[]): AppRole {
  if (groups.includes('dashboard_admin')) return 'admin';
  if (groups.includes('dashboard_kommando')) return 'kommandant';
-  if (groups.includes('dashboard_fahrmeister') || groups.includes('dashboard_zeugmeister')) return 'gruppenfuehrer';
+  if (groups.includes('dashboard_gruppenfuehrer') || groups.includes('dashboard_fahrmeister') || groups.includes('dashboard_zeugmeister')) return 'gruppenfuehrer';
  return 'mitglied';
 }

@@ -160,7 +160,19 @@ export function requirePermission(permission: string) {
  };
 }

-export { getUserRole, hasPermission };
+/**
+ * Resolve the effective AppRole for a request, combining DB role and group role.
+ * Self-contained — does not depend on requirePermission() middleware having run.
+ */
+export function resolveRequestRole(req: Request): AppRole {
+  const dbRole = (req.user as any)?.role
+    ? ((req.user as any).role as AppRole)
+    : 'mitglied';
+  const groupRole = roleFromGroups(req.user?.groups ?? []);
+  return ROLE_HIERARCHY.indexOf(groupRole) > ROLE_HIERARCHY.indexOf(dbRole) ? groupRole : dbRole;
+}
+
+export { getUserRole, hasPermission, roleFromGroups };

 /**
 * Middleware factory: requires the authenticated user to belong to at least