From 763ccf031e0cd34ef880e4fe8108fb6f12424cbb Mon Sep 17 00:00:00 2001
From: Copilot <copilot@github.com>
Date: Mon, 2 Mar 2026 13:15:21 -0800
Subject: [PATCH] docs(admin): remove readonly role references

---
 weed/admin/README.md                | 4 ++--
 weed/command/scaffold/security.toml | 7 +------
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/weed/admin/README.md b/weed/admin/README.md
index d6777a4f1..a97515b01 100644
--- a/weed/admin/README.md
+++ b/weed/admin/README.md
@@ -172,7 +172,7 @@ redirect_url = "https://admin.example.com/login/oidc/callback"
 scopes = ["openid", "profile", "email"]
 
 [admin.oidc.role_mapping]
-default_role = "readonly"
+default_role = "admin"
 
 [[admin.oidc.role_mapping.rules]]
 claim = "groups"
@@ -180,7 +180,7 @@ value = "seaweedfs-admin"
 role = "admin"
 ```
 
-Role mapping must resolve to either `admin` or `readonly`.
+Role mapping must resolve to `admin`.
 OIDC sessions are capped to the ID token expiration time.
 
 ### Docker Usage
diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml
index 32681637b..07c4f7341 100644
--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@@ -180,18 +180,13 @@ tls_ca_cert = ""                  # optional absolute path for custom CA bundle
 tls_insecure_skip_verify = false  # testing only; do not use in production
 
 [admin.oidc.role_mapping]
-default_role = "readonly"
+default_role = "admin"
 
 [[admin.oidc.role_mapping.rules]]
 claim = "groups"
 value = "seaweedfs-admin"
 role = "admin"
 
-[[admin.oidc.role_mapping.rules]]
-claim = "groups"
-value = "seaweedfs-readonly"
-role = "readonly"
-
 # white list. It's checking request ip address.
 [guard]
 white_list = ""