From fbd663e8705c50a1c7a4f776477ec7ca853d0077 Mon Sep 17 00:00:00 2001
From: admin <admin@git.np-dms.work>
Date: Thu, 19 Feb 2026 15:51:06 +0700
Subject: [PATCH] 260219:1551 20260219 TASK-BEFE-001 fix Admin Panel #1

---
 backend/src/common/auth/auth.service.ts | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/backend/src/common/auth/auth.service.ts b/backend/src/common/auth/auth.service.ts
index 63ae353..6052a18 100644
--- a/backend/src/common/auth/auth.service.ts
+++ b/backend/src/common/auth/auth.service.ts
@@ -44,6 +44,8 @@ export class AuthService {
     const user = await this.usersRepository
       .createQueryBuilder('user')
       .addSelect('user.password')
+      .leftJoinAndSelect('user.assignments', 'assignments')
+      .leftJoinAndSelect('assignments.role', 'role')
       .where('user.username = :username', { username })
       .getOne();
 
@@ -54,9 +56,28 @@ export class AuthService {
 
     // ตรวจสอบว่ามี user และมี password hash หรือไม่
     if (user && user.password && (await bcrypt.compare(pass, user.password))) {
+      // Logic: Map RBAC Roles to 'ADMIN' | 'DC' | 'User' for Frontend Compatibility
+      // Roles Table: 'Superadmin', 'Org Admin', 'Document Control', 'Editor', 'Viewer'
+
+      let derivedRole = 'User';
+      if (user.assignments && user.assignments.length > 0) {
+        const roleNames = user.assignments
+          .map((a) => a.role?.roleName)
+          .filter(Boolean);
+
+        // Check for Admin privileges
+        if (roleNames.some((r) => r === 'Superadmin' || r === 'Org Admin')) {
+          derivedRole = 'ADMIN';
+        }
+        // Check for Document Control privileges
+        else if (roleNames.some((r) => r === 'Document Control')) {
+          derivedRole = 'DC';
+        }
+      }
+
       // eslint-disable-next-line @typescript-eslint/no-unused-vars
       const { password, ...result } = user;
-      return result;
+      return { ...result, role: derivedRole };
     }
     return null;
   }