From 88abca5d6d00a9df179c1733f70c553bd3c66de8 Mon Sep 17 00:00:00 2001
From: Dustin Healy <54083382+dustinhealy@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:49:04 -0700
Subject: [PATCH] fix: allow system role updates when name is unchanged

The updateRoleHandler guard rejected any request where body.name matched
a system role, even when the name was not being changed. This blocked
editing a system role's description. Compare against the URL param to
only reject actual renames to reserved names.
---
 packages/api/src/admin/roles.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/api/src/admin/roles.ts b/packages/api/src/admin/roles.ts
index afdaefe945..56dedd61cc 100644
--- a/packages/api/src/admin/roles.ts
+++ b/packages/api/src/admin/roles.ts
@@ -111,7 +111,11 @@ export function createAdminRolesHandlers(deps: AdminRolesDeps) {
       ) {
         return res.status(400).json({ error: 'name must be a non-empty string' });
       }
-      if (body.name && SystemRoles[body.name.trim() as keyof typeof SystemRoles]) {
+      if (
+        body.name &&
+        body.name.trim() !== name &&
+        SystemRoles[body.name.trim() as keyof typeof SystemRoles]
+      ) {
         return res.status(409).json({ error: 'Cannot rename to a reserved system role name' });
       }