do not create elevated roles

ashleysmithTTD · ashleysmithTTD · commit 2162fde53340 · 2026-03-02T11:49:49.000-07:00
diff --git a/src/api/services/kcUsersService.ts b/src/api/services/kcUsersService.ts
@@ -3,16 +3,14 @@ import { RequiredActionAlias } from '@keycloak/keycloak-admin-client/lib/defs/re
 import UserRepresentation from '@keycloak/keycloak-admin-client/lib/defs/userRepresentation';
 
 import { SSP_KK_API_CLIENT_ID, SSP_KK_SSL_RESOURCE, SSP_WEB_BASE_URL } from '../envars.ts';
+import {
+  developerElevatedRole,
+  developerRole,
+  uid2SupportRole,
+} from '../middleware/userRoleMiddleware';
 
 export const API_PARTICIPANT_MEMBER_ROLE_NAME = 'api-participant-member';
 
-// Same group names as userRoleMiddleware (from JWT payload / Keycloak attributes.groups)
-const developerElevatedRole = 'developer-elevated';
-const developerRole = 'developer';
-const uid2SupportRole = 'prod-uid2.0-support';
-
-export type ElevatedRole = 'SuperUser' | 'UID2 Support';
-
 export const queryKeycloakUsersByEmail = async (
   kcAdminClient: KeycloakAdminClient,
   email: string
@@ -33,26 +31,19 @@ function toGroupsArray(groupsRaw: unknown): string[] {
   return [];
 }
 
-/**
- * Resolves elevated role from Keycloak user attributes (key "groups"), not realm Groups.
- * Used when the viewed user has no portal participants but may have SuperUser/UID2 Support in IdP.
- */
 export const getElevatedRoleByEmail = async (
   kcAdminClient: KeycloakAdminClient,
   email: string
-): Promise<ElevatedRole | null> => {
+): Promise<string | null> => {
   const users = await queryKeycloakUsersByEmail(kcAdminClient, email);
   if (!users.length) return null;
 
   const attrs = users[0].attributes;
   const groups = toGroupsArray(attrs?.groups);
 
-  if (groups.includes(developerElevatedRole)) return 'SuperUser';
-  if (
-    groups.includes(developerRole) ||
-    groups.includes(uid2SupportRole)
-  ) {
-    return 'UID2 Support';
+  if (groups.includes(developerElevatedRole)) return developerElevatedRole;
+  if (groups.includes(developerRole) || groups.includes(uid2SupportRole)) {
+    return uid2SupportRole;
   }
   return null;
 };
diff --git a/src/web/components/UserManagement/UserPartcipantsTable.tsx b/src/web/components/UserManagement/UserPartcipantsTable.tsx
@@ -1,8 +1,8 @@
 import { ParticipantDTO } from '../../../api/entities/Participant';
 import { UserDTO } from '../../../api/entities/User';
 import { UserRoleId } from '../../../api/entities/UserRole';
+import { developerElevatedRole, uid2SupportRole } from '../../../api/middleware/userRoleMiddleware';
 import { SortableProvider } from '../../contexts/SortableTableProvider';
-import { ElevatedRole } from '../../services/participant';
 import { TableNoDataPlaceholder } from '../Core/Tables/TableNoDataPlaceholder';
 
 import './UserParticipantsTable.scss';
@@ -24,14 +24,14 @@ function UserParticipantRow({ participantName, roleName }: UserParticipantRowPro
 export type UserParticipantsTableProps = Readonly<{
   user: UserDTO;
   userParticipants: ParticipantDTO[];
-  elevatedRole?: ElevatedRole | null;
+  elevatedRole: string | null;
 }>;
 
-function getEmptyParticipantsMessage(elevatedRole: ElevatedRole | null | undefined): string {
-  if (elevatedRole === 'SuperUser') {
+function getEmptyParticipantsMessage(elevatedRole:string | null): string {
+  if (elevatedRole === developerElevatedRole) {
     return 'This user has SuperUser role and has access to all participants.';
   }
-  if (elevatedRole === 'UID2 Support') {
+  if (elevatedRole === uid2SupportRole) {
     return 'This user has UID2 Support role and has access to all participants.';
   }
   return 'This user does not belong to any participant.';
diff --git a/src/web/components/UserManagement/UserParticipantsDialog.tsx b/src/web/components/UserManagement/UserParticipantsDialog.tsx
@@ -2,7 +2,7 @@ import { useEffect, useState } from 'react';
 
 import { ParticipantDTO } from '../../../api/entities/Participant';
 import { UserDTO } from '../../../api/entities/User';
-import { ElevatedRole, GetUserParticipants } from '../../services/participant';
+import {  GetUserParticipants } from '../../services/participant';
 import { Dialog } from '../Core/Dialog/Dialog';
 import { Loading } from '../Core/Loading/Loading';
 import UserParticipantsTable from './UserPartcipantsTable';
@@ -14,7 +14,7 @@ type UserParticipantsDialogProps = Readonly<{
 
 function UserParticipantsDialog({ user, onOpenChange }: UserParticipantsDialogProps) {
   const [userParticipants, setUserParticipants] = useState<ParticipantDTO[]>();
-  const [elevatedRole, setElevatedRole] = useState<ElevatedRole | null>(null);
+  const [elevatedRole, setElevatedRole] = useState<string | null>(null);
   const [isLoading, setIsLoading] = useState<boolean>(true);
 
   useEffect(() => {
diff --git a/src/web/services/participant.ts b/src/web/services/participant.ts
@@ -44,11 +44,9 @@ export async function GetAllParticipants() {
   }
 }
 
-export type ElevatedRole = 'SuperUser' | 'UID2 Support';
-
 export type GetUserParticipantsResponse = {
   participants: ParticipantDTO[];
-  elevatedRole: ElevatedRole | null;
+  elevatedRole: string | null;
 };
 
 export async function GetUserParticipants(userId: number): Promise<GetUserParticipantsResponse> {

Original file line number	Diff line number	Diff line change
`@@ -44,11 +44,9 @@ export async function GetAllParticipants() {`
`44`	`44`	`}`
`45`	`45`	`}`
`46`	`46`
`47`		`-export type ElevatedRole = 'SuperUser' \| 'UID2 Support';`
`48`		`-`
`49`	`47`	`export type GetUserParticipantsResponse = {`
`50`	`48`	`participants: ParticipantDTO[];`
`51`		`- elevatedRole: ElevatedRole \| null;`
	`49`	`+ elevatedRole: string \| null;`
`52`	`50`	`};`
`53`	`51`
`54`	`52`	`export async function GetUserParticipants(userId: number): Promise<GetUserParticipantsResponse> {`