From 53300a1ffe84cb5da62f41e4f21f78ae3e295455 Mon Sep 17 00:00:00 2001
From: Copilot <copilot@github.com>
Date: Mon, 2 Mar 2026 13:20:03 -0800
Subject: [PATCH] Revert "docs(admin): remove readonly role references"

This reverts commit 763ccf031e0cd34ef880e4fe8108fb6f12424cbb.
---
 weed/admin/README.md                | 4 ++--
 weed/command/scaffold/security.toml | 7 ++++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/weed/admin/README.md b/weed/admin/README.md
index a97515b01..d6777a4f1 100644
--- a/weed/admin/README.md
+++ b/weed/admin/README.md
@@ -172,7 +172,7 @@ redirect_url = "https://admin.example.com/login/oidc/callback"
 scopes = ["openid", "profile", "email"]
 
 [admin.oidc.role_mapping]
-default_role = "admin"
+default_role = "readonly"
 
 [[admin.oidc.role_mapping.rules]]
 claim = "groups"
@@ -180,7 +180,7 @@ value = "seaweedfs-admin"
 role = "admin"
 ```
 
-Role mapping must resolve to `admin`.
+Role mapping must resolve to either `admin` or `readonly`.
 OIDC sessions are capped to the ID token expiration time.
 
 ### Docker Usage
diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml
index 07c4f7341..32681637b 100644
--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@@ -180,13 +180,18 @@ tls_ca_cert = ""                  # optional absolute path for custom CA bundle
 tls_insecure_skip_verify = false  # testing only; do not use in production
 
 [admin.oidc.role_mapping]
-default_role = "admin"
+default_role = "readonly"
 
 [[admin.oidc.role_mapping.rules]]
 claim = "groups"
 value = "seaweedfs-admin"
 role = "admin"
 
+[[admin.oidc.role_mapping.rules]]
+claim = "groups"
+value = "seaweedfs-readonly"
+role = "readonly"
+
 # white list. It's checking request ip address.
 [guard]
 white_list = ""