fix: remove client-side role checks to prevent privilege escalation

frontend/src/base/components/settings/contents/Profile.jsx

@@ -7,7 +7,6 @@ import { useNavigate } from "react-router-dom";
 
 import { useAxiosPrivate } from "../../../../service/axios-service";
 import { orgStore } from "../../../../store/org-store";
-import { useSessionStore } from "../../../../store/session-store";
 import { useNotificationService } from "../../../../service/notification-service";
 
 import "./Profile.css";
@@ -19,7 +18,6 @@ const Profile = () => {
   const axios = useAxiosPrivate();
   const navigate = useNavigate();
   const { selectedOrgId } = orgStore();
-  const { sessionDetails } = useSessionStore();
   const { notify } = useNotificationService();
   const csrfToken = Cookies.get("csrftoken");
 
@@ -54,13 +52,13 @@ const Profile = () => {
       const { data } = await axios.get(
         `/api/v1/visitran/${selectedOrgId || "default_org"}/profile`
       );
-      form.setFieldsValue({ ...data, role: sessionDetails.user_role });
+      form.setFieldsValue(data);
       const { first_name, last_name, token } = data;
       initialRef.current = { first_name, last_name, token };
     } catch (error) {
       notify({ error });
     }
-  }, [selectedOrgId, form, sessionDetails.user_role]);
+  }, [selectedOrgId, form]);
 
   const saveProfile = useCallback(
     async (values) => {
@@ -189,22 +187,6 @@ const Profile = () => {
             <Input disabled className="input-300" />
           </Form.Item>
 
-          {/* ---------------------- role ---------------------- */}
-          <Form.Item
-            label="Role"
-            name="role"
-            rules={[
-              {
-                required: true,
-                pattern: /^(?!_)[a-z_]+(?<!_)$/,
-                message:
-                  "Lower-case letters & underscores only (cannot start/end with underscore)",
-              },
-            ]}
-          >
-            <Input disabled className="input-300" />
-          </Form.Item>
-
           {/* -------------------- API token ------------------- */}
           <Form.Item
             label="API Key"

frontend/src/base/components/settings/menutree/MenuTree.jsx

@@ -82,7 +82,6 @@
   const { sessionDetails } = useSessionStore();
 
   const isOrgAdmin = sessionDetails?.is_org_admin;
-  const userRole = sessionDetails?.user_role;
 
   // Build settings children dynamically
   const settingsChildren = useMemo(
@@ -171,13 +170,12 @@
           label: "Settings",
           children: settingsChildren,
         },
-        userRole === "visitran_super_admin" &&
-          uacChildren.length > 0 && {
+        uacChildren.length > 0 && {
             key: "user_access_control",
             icon: <UAC />,
             label: "User Access Control",
             children: uacChildren,
           },
         notificationsChildren.some((c) => !c.disabled) && {
           key: "notifications",
           icon: <SettingOutlined />,
@@ -185,7 +183,7 @@
           children: notificationsChildren,
         },
       ].filter(Boolean),
-    [settingsChildren, uacChildren, notificationsChildren, userRole]
+    [settingsChildren, uacChildren, notificationsChildren]
   );
 
   const handleClick = useCallback(
@@ -201,11 +199,9 @@
       ...(notificationsChildren.some((c) => !c.disabled)
         ? ["notifications"]
         : []),
-      ...(userRole === "visitran_super_admin" && uacChildren.length > 0
-        ? ["user_access_control"]
-        : []),
+      ...(uacChildren.length > 0 ? ["user_access_control"] : []),
     ],
-    [notificationsChildren, uacChildren, userRole]
+    [notificationsChildren, uacChildren]
   );
 
   return (

frontend/src/base/route-component.jsx

@@ -201,22 +201,18 @@ function RouteComponent() {
                   {UserManagement && (
                     <Route path="usermanagement" element={<UserManagement />} />
                   )}
-                  {sessionDetails?.user_role === "visitran_super_admin" && (
-                    <>
-                      {Roles && <Route path="roles" element={<Roles />} />}
-                      {Resources && (
-                        <Route path="resources" element={<Resources />} />
-                      )}
-                      {Permissions && (
-                        <Route path="permissions" element={<Permissions />} />
-                      )}
-                      {SubscriptionAdminPage && (
-                        <Route
-                          path="subscription-admin"
-                          element={<SubscriptionAdminPage />}
-                        />
-                      )}
-                    </>
+                  {Roles && <Route path="roles" element={<Roles />} />}
+                  {Resources && (
+                    <Route path="resources" element={<Resources />} />
+                  )}
+                  {Permissions && (
+                    <Route path="permissions" element={<Permissions />} />
+                  )}
+                  {SubscriptionAdminPage && (
+                    <Route
+                      path="subscription-admin"
+                      element={<SubscriptionAdminPage />}
+                    />
                   )}
                   {Subscriptions && (
                     <Route path="subscriptions" element={<Subscriptions />} />

frontend/src/common/helpers.js

@@ -113,10 +113,7 @@ const checkPermission = (resource, action) => {
   const sessionDetails = useSessionStore.getState().sessionDetails;
   // Handle case when session is expired/undefined/empty (e.g., after logout)
   if (!sessionDetails || Object.keys(sessionDetails).length === 0) return false;
-  const role = sessionDetails.user_role;
-  // Validate user_role exists
-  if (!role) return false;
-  if (role === "visitran_super_admin") return true;
+  // Always use server-returned permissions — never trust client-side role
   return permissions[resource]?.[action] ?? false;
 };