rights system

backend/src/middleware/rbac.middleware.ts

@@ -20,7 +20,6 @@ export type AppRole =
  *
  * Hardwired rules:
  * - `dashboard_admin` group always passes (full access).
- * - `admin:access` is checked via group membership (not DB).
  * - Maintenance mode blocks non-admin access per feature group.
  */
 export function requirePermission(permission: string) {
@@ -44,25 +43,6 @@ export function requirePermission(permission: string) {
       return;
     }
 
-    // Hardwired: admin:access only for dashboard_admin (already returned above)
-    if (permission === 'admin:access') {
-      logger.warn('Permission denied — admin:access', {
-        userId: req.user.id,
-        permission,
-        path: req.path,
-      });
-
-      auditPermissionDenied(req, AuditResourceType.SYSTEM, undefined, {
-        required_permission: permission,
-      });
-
-      res.status(403).json({
-        success: false,
-        message: 'Keine Berechtigung',
-      });
-      return;
-    }
-
     // Check maintenance mode for the feature group
     const featureGroup = permission.split(':')[0];
     if (permissionService.isFeatureInMaintenance(featureGroup)) {