fix: syncOidcRoles uses direct roles only, always overwrites

- Expose getDirectRolesForUser on RbacService interface so syncOidcRoles compares against directly-assigned roles only, not group-inherited ones - Remove early-return that preserved existing roles when OIDC returned none — now always applies defaultRoles as fallback - Update CLAUDE.md and SERVER-CAPABILITIES.md to reflect changes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 10:56:40 +02:00
parent ca1b549f10
commit 07f3c2584c
5 changed files with 8 additions and 18 deletions
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/rbac/RbacServiceImpl.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/rbac/RbacServiceImpl.java
@@ -239,7 +239,8 @@ public class RbacServiceImpl implements RbacService {
        return max;
    }

-    private List<RoleSummary> getDirectRolesForUser(String userId) {
+    @Override
+    public List<RoleSummary> getDirectRolesForUser(String userId) {
        return jdbc.query("""
                SELECT r.id, r.name, r.system FROM user_roles ur
                JOIN roles r ON r.id = ur.role_id WHERE ur.user_id = ?