Merge branch 'dev' into feature/af-issue363

backend/internal/handler/user_handler.go

@@ -76,7 +76,8 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
 	// [New] Get requester profile from middleware
 	var requesterRole string
 	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
-		requesterRole = profile.Role
+		requesterRole = domain.NormalizeRole(profile.Role)
+		requesterCompany = profile.CompanyCode
 	}
 
 	limit := c.QueryInt("limit", 50)
@@ -306,9 +307,9 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 		}
 	}
 
-	role := strings.TrimSpace(req.Role)
+	role := domain.NormalizeRole(req.Role)
 	if role == "" {
-		role = "user"
+		role = domain.RoleUser
 	}
 
 	attributes := map[string]interface{}{
@@ -969,7 +970,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 
 	// [New] Check access scope
 	requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
-	if requester != nil && requester.Role == domain.RoleTenantAdmin {
+	if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
 		compCode := extractTraitString(identity.Traits, "companyCode")
 		if requester.CompanyCode == "" || compCode != requester.CompanyCode {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: cannot update user in another tenant")
@@ -991,7 +992,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 	}
 
 	// [New] Tenant Admin restriction: Cannot change companyCode
-	if requester != nil && requester.Role == domain.RoleTenantAdmin {
+	if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
 		if req.CompanyCode != nil && *req.CompanyCode != requester.CompanyCode {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: tenant admins cannot change user's tenant")
 		}
@@ -1068,9 +1069,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		traits["department"] = strings.TrimSpace(*req.Department)
 	}
 	if req.Role != nil {
-		role := strings.TrimSpace(*req.Role)
+		role := domain.NormalizeRole(*req.Role)
 		if role == "" {
-			role = "user"
+			role = domain.RoleUser
 		}
 		traits["grade"] = role
 		traits["role"] = role
@@ -1133,7 +1134,7 @@ func (h *UserHandler) DeleteUser(c *fiber.Ctx) error {
 
 	// [New] Check access scope before deletion
 	requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
-	if requester != nil && requester.Role == domain.RoleTenantAdmin {
+	if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
 		identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
 		if err == nil && identity != nil {
 			compCode := extractTraitString(identity.Traits, "companyCode")
@@ -1167,7 +1168,11 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
 	traits := identity.Traits
 	role := extractTraitString(traits, "grade")
 	if role == "" {
-		role = "user"
+		role = extractTraitString(traits, "role")
+	}
+	role = domain.NormalizeRole(role)
+	if role == "" {
+		role = domain.RoleUser
 	}
 
 	compCode := extractTraitString(traits, "companyCode")
@@ -1229,9 +1234,12 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
 	traits := identity.Traits
 	role := extractTraitString(traits, "grade")
 	if role == "" {
-		role = "user"
+		role = extractTraitString(traits, "role")
+	}
+	role = domain.NormalizeRole(role)
+	if role == "" {
+		role = domain.RoleUser
 	}
-	// Try "companyCode" first, then fallback to "company_code"
 	compCode := extractTraitString(traits, "companyCode")
 	if compCode == "" {
 		compCode = extractTraitString(traits, "company_code")
@@ -1283,6 +1291,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
 }
 
 func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole, oldTenantID string, newTenantID *string) {
+	newRole = domain.NormalizeRole(newRole)
+	oldRole = domain.NormalizeRole(oldRole)
+
 	if h.KetoOutboxRepo == nil {
 		return
 	}