From c1e16cf9fff4bbfcd44e326303b31e44ae036c3c Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Thu, 28 May 2026 12:36:46 -0400
Subject: [PATCH] fix(centralui): role guard uses RoleClaimType, not IsInRole
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ClaimsIdentity is built without an explicit roleType, so IsInRole("Design")
checks ClaimTypes.Role while actual claims use "Role" — the guard always
returned not-authorized. Switch to HasClaim(RoleClaimType, "Design").
---
 .../Services/OpcUaBrowseService.cs                             | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs b/src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs
index 6adec7f3..1fb2d686 100644
--- a/src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs
+++ b/src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs
@@ -2,6 +2,7 @@ using Microsoft.AspNetCore.Components.Authorization;
 using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Protocol;
 using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
 using ZB.MOM.WW.ScadaBridge.Communication;
+using ZB.MOM.WW.ScadaBridge.Security;
 
 namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
 
@@ -44,7 +45,7 @@ public sealed class OpcUaBrowseService : IOpcUaBrowseService
         // CentralUI-side role guard — sites don't enforce envelope-level roles,
         // so the Design check must happen here before any cross-cluster traffic.
         var state = await _auth.GetAuthenticationStateAsync();
-        if (!state.User.IsInRole("Design"))
+        if (!state.User.HasClaim(JwtTokenService.RoleClaimType, "Design"))
         {
             return new BrowseOpcUaNodeResult(
                 Array.Empty<BrowseNode>(),