From 5649ba2a7650b75a39ef377b51d8aa0d1f995e30 Mon Sep 17 00:00:00 2001
From: chan <b24028@hanmaceng.co.kr>
Date: Wed, 4 Mar 2026 15:59:00 +0900
Subject: [PATCH] fix(backend): allow role mocking via query parameter for CSV
 export downloads

---
 backend/internal/handler/user_handler.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 767f9e72..c319d17e 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -548,7 +548,22 @@ func (h *UserHandler) ExportUsersCSV(c *fiber.Ctx) error {
 
 	var requesterRole string
 	var manageableSlugs []string
-	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
+	
+	profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
+	
+	// [New] Support Role Mocking for Download (which doesn't have custom headers)
+	if profile == nil {
+		appEnv := strings.ToLower(os.Getenv("APP_ENV"))
+		isDev := appEnv == "dev" || appEnv == "development" || appEnv == ""
+		mockRole := c.Query("x-test-role")
+		if isDev && mockRole != "" {
+			slog.Info("🔑 [AUTH] Using mock role from query for export", "role", mockRole)
+			requesterRole = mockRole
+			// For tenant_admin, we might need more data, but let's assume super_admin for full export in dev
+		} else {
+			return errorJSON(c, fiber.StatusUnauthorized, "invalid session (trace:export_profile)")
+		}
+	} else {
 		requesterRole = profile.Role
 		if requesterRole == domain.RoleTenantAdmin {
 			for _, t := range profile.ManageableTenants {