From 01aca8971b843d53ab141334340e6655486b36dc Mon Sep 17 00:00:00 2001
From: Tiago Yamamoto <tiago.ribeiro@inventcloud.com.br>
Date: Thu, 25 Dec 2025 23:20:22 -0300
Subject: [PATCH] fix(auth): include legacy role column in getRoles query

The superadmin role was stored in users.role column but getRoles()
only checked user_roles table. Updated to use UNION query that
combines both sources for backward compatibility.

Fixes 403 Forbidden on /api/v1/users for admin users.
---
 .../persistence/postgres/user_repository.go              | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/backend/internal/infrastructure/persistence/postgres/user_repository.go b/backend/internal/infrastructure/persistence/postgres/user_repository.go
index f0ad53c..17b9e2e 100644
--- a/backend/internal/infrastructure/persistence/postgres/user_repository.go
+++ b/backend/internal/infrastructure/persistence/postgres/user_repository.go
@@ -162,7 +162,14 @@ func (r *UserRepository) Delete(ctx context.Context, id string) error {
 }
 
 func (r *UserRepository) getRoles(ctx context.Context, userID string) ([]entity.Role, error) {
-	rows, err := r.db.QueryContext(ctx, `SELECT role FROM user_roles WHERE user_id = $1`, userID)
+	// Query both user_roles table AND legacy role column from users table
+	// This ensures backward compatibility with users who have role set in users.role
+	query := `
+		SELECT role FROM user_roles WHERE user_id = $1
+		UNION
+		SELECT role FROM users WHERE id = $1 AND role IS NOT NULL AND role != ''
+	`
+	rows, err := r.db.QueryContext(ctx, query, userID)
 	if err != nil {
 		return nil, err
 	}