feat: simplify RBAC roles and remove dev role switcher

- Simplified RBAC system to two roles: super_admin and user. - Removed tenant_admin and rp_admin roles across backend and frontend. - Removed Dev Role Switcher feature from adminfront. - Updated all handlers, middlewares, and navigation to reflect the new role model. - Fixed backend build errors and updated tests.
2026-06-02 18:29:18 +09:00
parent 57f05e2694
commit 802bf3e91d
32 changed files with 487 additions and 938 deletions
--- a/backend/internal/middleware/rbac.go
+++ b/backend/internal/middleware/rbac.go
@@ -160,38 +160,7 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
 			return c.Next()
 		}

-		// Tenant Admin check
-		if userRole == domain.RoleTenantAdmin {
-			targetTenantID := c.Params("tenantId")
-			if targetTenantID == "" {
-				targetTenantID = c.Params("id") // common for /tenants/:id
-			}
-
-			if targetTenantID == "" {
-				return c.Next() // No target specified, let Keto or next handler decide
-			}
-
-			// Check primary tenant match
-			if profile.TenantID != nil && *profile.TenantID == targetTenantID {
-				return c.Next()
-			}
-
-			// Check inherited manageable tenants
-			isAllowed := false
-			for _, t := range profile.ManageableTenants {
-				if t.ID == targetTenantID {
-					isAllowed = true
-					break
-				}
-			}
-
-			if !isAllowed {
-				slog.Warn("Tenant match failed", "userID", profile.ID, "targetTenantID", targetTenantID)
-				return errorJSON(c, fiber.StatusForbidden, "forbidden: you do not have access to this tenant")
-			}
-			return c.Next()
-		}
-
+		// Since only Super Admin is maintained for tenant management, others are rejected here
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}
 }