resolve issues with new features

backend/src/middleware/rbac.middleware.ts

@@ -63,6 +63,16 @@ const PERMISSION_ROLE_MIN: Record<string, AppRole> = {
   'bookings:delete': 'admin',
 };
 
+/**
+ * Derive an AppRole from Authentik JWT groups (highest matching role wins).
+ */
+function roleFromGroups(groups: string[]): AppRole {
+  if (groups.includes('dashboard_admin')) return 'admin';
+  if (groups.includes('dashboard_kommando')) return 'kommandant';
+  if (groups.includes('dashboard_fahrmeister') || groups.includes('dashboard_zeugmeister')) return 'gruppenfuehrer';
+  return 'mitglied';
+}
+
 function hasPermission(role: AppRole, permission: string): boolean {
   const minRole = PERMISSION_ROLE_MIN[permission];
   if (!minRole) {
@@ -116,24 +126,16 @@ export function requirePermission(permission: string) {
       return;
     }
 
-    const role = (req.user as any).role
+    const dbRole = (req.user as any).role
       ? (req.user as any).role as AppRole
       : await getUserRole(req.user.id);
+    const groupRole = roleFromGroups(req.user?.groups ?? []);
+    const role = ROLE_HIERARCHY.indexOf(groupRole) > ROLE_HIERARCHY.indexOf(dbRole) ? groupRole : dbRole;
 
     // Attach role to request for downstream use (e.g., bericht_text redaction)
     (req as Request & { userRole?: AppRole }).userRole = role;
 
     if (!hasPermission(role, permission)) {
-      // Fallback: dashboard_admin group grants admin:access
-      if (permission === 'admin:access') {
-        const userGroups: string[] = req.user?.groups ?? [];
-        if (userGroups.includes('dashboard_admin')) {
-          (req as Request & { userRole?: AppRole }).userRole = 'admin';
-          next();
-          return;
-        }
-      }
-
       logger.warn('Permission denied', {
         userId: req.user.id,
         role,