From b4d0a24320646287264a940c8d37211eff681127 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jesko=20Ansch=C3=BCtz?= <jesko@linuxmuster.net>
Date: Fri, 27 Mar 2026 21:59:32 +0100
Subject: [PATCH] fix(auth): restricted-User landen nach Login auf eigenen
 Screens (nicht Tenant-Dashboard)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Login und already-logged-in-Check verwendeten default-Branch für restricted-Rolle,
der zum Tenant-Dashboard mit allen Screens führte. Jetzt wie screen_user behandelt.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 server/backend/internal/httpapi/manage/auth.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/backend/internal/httpapi/manage/auth.go b/server/backend/internal/httpapi/manage/auth.go
index f345ba7..ad54a31 100644
--- a/server/backend/internal/httpapi/manage/auth.go
+++ b/server/backend/internal/httpapi/manage/auth.go
@@ -51,7 +51,7 @@ func HandleLoginUI(authStore *store.AuthStore, screenStore *store.ScreenStore, c
 				switch u.Role {
 				case "admin":
 					http.Redirect(w, r, "/admin", http.StatusSeeOther)
-				case "screen_user":
+				case "screen_user", "restricted":
 					handleScreenUserRedirect(w, r, screenStore, u)
 				default:
 					if u.TenantSlug != "" {
@@ -159,7 +159,7 @@ func HandleLoginPost(authStore *store.AuthStore, screenStore *store.ScreenStore,
 		switch user.Role {
 		case "admin":
 			http.Redirect(w, r, "/admin", http.StatusSeeOther)
-		case "screen_user":
+		case "screen_user", "restricted":
 			handleScreenUserRedirect(w, r, screenStore, user)
 		default:
 			if user.TenantSlug != "" {