From a8b977a2dbba4ca7e47ab6c96c557abcbc3543c7 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Wed, 8 Apr 2026 11:52:50 +0200
Subject: [PATCH] fix: include managed role assignments in direct roles query

getDirectRolesForUser filtered on origin='direct', which excluded
roles assigned via claim mapping (origin='managed'). This caused
OIDC users to appear roleless even when claim mappings matched.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../java/com/cameleer3/server/app/rbac/RbacServiceImpl.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/rbac/RbacServiceImpl.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/rbac/RbacServiceImpl.java
index 95447e41..7e955e83 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/rbac/RbacServiceImpl.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/rbac/RbacServiceImpl.java
@@ -248,11 +248,11 @@ public class RbacServiceImpl implements RbacService {
     @Override
     public List<RoleSummary> getDirectRolesForUser(String userId) {
         return jdbc.query("""
-                SELECT r.id, r.name, r.system FROM user_roles ur
+                SELECT r.id, r.name, r.system, ur.origin FROM user_roles ur
                 JOIN roles r ON r.id = ur.role_id
-                WHERE ur.user_id = ? AND ur.origin = 'direct'
+                WHERE ur.user_id = ?
                 """, (rs, rowNum) -> new RoleSummary(rs.getObject("id", UUID.class),
-                rs.getString("name"), rs.getBoolean("system"), "direct"), userId);
+                rs.getString("name"), rs.getBoolean("system"), rs.getString("origin")), userId);
     }
 
     private List<GroupSummary> getDirectGroupsForUser(String userId) {