feat: simplify RBAC roles and remove dev role switcher

- Simplified RBAC system to two roles: super_admin and user. - Removed tenant_admin and rp_admin roles across backend and frontend. - Removed Dev Role Switcher feature from adminfront. - Updated all handlers, middlewares, and navigation to reflect the new role model. - Fixed backend build errors and updated tests.
2026-06-02 18:29:18 +09:00
parent 57f05e2694
commit 802bf3e91d
32 changed files with 487 additions and 938 deletions
--- a/devfront/src/components/common/ForbiddenMessage.tsx
+++ b/devfront/src/components/common/ForbiddenMessage.tsx
@@ -17,31 +17,21 @@ export function ForbiddenMessage({ resourceToken }: Props) {
    "You do not have permission to access this resource. Contact your administrator.",
  );

-  if (role === "rp_admin") {
-    explanation = t(
-      "msg.dev.forbidden.rp_admin",
-      "RP administrators can only access resources for their assigned applications.",
-    );
-  } else if (role === "tenant_admin") {
-    explanation = t(
-      "msg.dev.forbidden.tenant_admin",
-      "Your tenant administrator permission is missing, misconfigured, or expired.",
-    );
-  } else if (role === "user" || role === "tenant_member") {
+  if (role === "user") {
    if (resourceToken === "consents") {
      explanation = t(
        "msg.dev.forbidden.user.consents",
-        "Viewing consent records for this application requires an RP administrator, consent read, or consent revoke relationship. Request access from an administrator if needed.",
+        "Viewing consent records for this application requires an operational relationship. Request access from an administrator if needed.",
      );
    } else if (resourceToken === "audit") {
      explanation = t(
        "msg.dev.forbidden.user.audit",
-        "Viewing audit logs for this application requires an RP administrator or audit read relationship. Request access from an administrator if needed.",
+        "Viewing audit logs for this application requires an audit read relationship. Request access from an administrator if needed.",
      );
    } else {
      explanation = t(
        "msg.dev.forbidden.user.clients",
-        "Standard user accounts can use this feature only when an operational or administrative relationship is granted for the target RP. Request access from an administrator if needed.",
+        "Standard user accounts can use this feature only when an operational or administrative relationship is granted for the target application. Request access from an administrator if needed.",
      );
    }
  }
--- a/devfront/src/features/developer-access/developerAccessGate.ts
+++ b/devfront/src/features/developer-access/developerAccessGate.ts
@@ -12,11 +12,7 @@ export type DeveloperAccessGateState = {
 };

 function isPrivilegedDeveloperRole(profileRole: string) {
-  return (
-    profileRole === "super_admin" ||
-    profileRole === "tenant_admin" ||
-    profileRole === "rp_admin"
-  );
+  return profileRole === "super_admin";
 }

 export function resolveDeveloperAccessGate(
--- a/devfront/src/lib/role.ts
+++ b/devfront/src/lib/role.ts
@@ -1,12 +1,15 @@
 export function normalizeRole(rawRole: unknown): string {
  if (typeof rawRole !== "string") return "";
  const role = rawRole.trim().toLowerCase();
-  if (role === "tenant_member") return "user";
-  if (role === "admin") return "tenant_admin";
-  if (role === "superadmin") return "super_admin";
-  if (role === "tenantadmin") return "tenant_admin";
-  if (role === "rpadmin") return "rp_admin";
-  return role;
+
+  switch (role) {
+    case "super_admin":
+    case "superadmin":
+    case "super-admin":
+      return "super_admin";
+    default:
+      return "user";
+  }
 }

 export function resolveProfileRole(