From 4d1bdb6e8be09e80b967b6700afdc7de1a3d762e Mon Sep 17 00:00:00 2001
From: sysops <sysops@LenovoT14Gen5>
Date: Sat, 4 Apr 2026 21:16:53 +0200
Subject: [PATCH] fix(ui): rollenbasierte Navigation + domain_auditor-Support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- useAuth.ts: domain_auditor (Level 3) in roleLevels ergänzt
- navbar.tsx: IMAP/POP3-Links nur noch für user + domain_admin;
  domain_auditor bekommt Zugang zum Admin-Bereich
- UserNav.tsx: Rollenbezeichnung deutsch + leserlich (domain_auditor →
  "Domain-Auditor"); Badge ausgeblendet wenn Username = Rollenname

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/components/UserNav.tsx | 19 +++++++++++++++----
 src/components/navbar.tsx  |  6 +++---
 src/hooks/useAuth.ts       |  5 +++--
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/src/components/UserNav.tsx b/src/components/UserNav.tsx
index 94c6715..34889b3 100644
--- a/src/components/UserNav.tsx
+++ b/src/components/UserNav.tsx
@@ -21,7 +21,16 @@ interface UserNavProps {
 export function UserNav({ username, role }: UserNavProps) {
   const router = useRouter();
 
-  const ADMIN_ROLES = ["auditor", "admin", "domain_admin", "superadmin"];
+  const ADMIN_ROLES = ["auditor", "domain_auditor", "admin", "domain_admin", "superadmin"];
+
+  const ROLE_LABELS: Record<string, string> = {
+    user: "Benutzer",
+    auditor: "Auditor",
+    domain_auditor: "Domain-Auditor",
+    admin: "Admin",
+    domain_admin: "Domain-Admin",
+    superadmin: "Superadmin",
+  };
 
   async function handleLogout() {
     try {
@@ -42,9 +51,11 @@ export function UserNav({ username, role }: UserNavProps) {
           aria-label="Benutzermenu"
         >
           <span className="text-sm font-medium">{username}</span>
-          <Badge variant="secondary" className="text-xs">
-            {role}
-          </Badge>
+          {username !== role && (
+            <Badge variant="secondary" className="text-xs">
+              {ROLE_LABELS[role] ?? role}
+            </Badge>
+          )}
           <ChevronDown className="h-4 w-4 opacity-50" />
         </Button>
       </DropdownMenuTrigger>
diff --git a/src/components/navbar.tsx b/src/components/navbar.tsx
index 7c3397e..ebfefea 100644
--- a/src/components/navbar.tsx
+++ b/src/components/navbar.tsx
@@ -31,7 +31,7 @@ export function Navbar({ username, role }: NavbarProps) {
               Suche
             </Link>
           )}
-          {role !== "superadmin" && (
+          {(role === "user" || role === "domain_admin") && (
             <Link
               href="/imap"
               className="text-sm text-muted-foreground hover:text-foreground transition-colors"
@@ -39,7 +39,7 @@ export function Navbar({ username, role }: NavbarProps) {
               IMAP Import
             </Link>
           )}
-          {role !== "superadmin" && (
+          {(role === "user" || role === "domain_admin") && (
             <Link
               href="/pop3"
               className="text-sm text-muted-foreground hover:text-foreground transition-colors"
@@ -47,7 +47,7 @@ export function Navbar({ username, role }: NavbarProps) {
               POP3 Import
             </Link>
           )}
-          {(role === "admin" || role === "domain_admin" || role === "superadmin") && (
+          {(role === "admin" || role === "domain_admin" || role === "domain_auditor" || role === "superadmin") && (
             <Link
               href="/admin"
               className="text-sm text-muted-foreground hover:text-foreground transition-colors"
diff --git a/src/hooks/useAuth.ts b/src/hooks/useAuth.ts
index 2b04c6d..1b86385 100644
--- a/src/hooks/useAuth.ts
+++ b/src/hooks/useAuth.ts
@@ -7,11 +7,12 @@ import { getCachedUser, setCachedUser } from "@/lib/auth-cache";
 
 export { clearAuthCache } from "@/lib/auth-cache";
 
-// Role hierarchy: superadmin(5) > domain_admin(4) > admin(3) > auditor(2) > user(1)
+// Role hierarchy: superadmin(5) > domain_admin(4) > domain_auditor(3) > auditor(2) > user(1)
 const roleLevels: Record<string, number> = {
   user: 1,
   auditor: 2,
-  admin: 3,
+  domain_auditor: 3,
+  admin: 3,        // legacy alias
   domain_admin: 4,
   superadmin: 5,
 };