Fix operator role gate: platform-admin (hyphen), not platform_admin
arcadia-app issues the role slug "platform-admin" (hyphen) — confirmed from a live arcadia-dev JWT (roles: ["admin","platform-admin"]). Every authorization check here tested for "platform_admin" (underscore), so real operator tokens got 403 on billing / dashboard / drift and an empty tenant-scoped result on inventory. The smoke tests missed it because Guardian.mint_dev_token hardcoded the underscore form — fixed there too, so the dev helper now matches what arcadia-app actually emits. Replaced the string literal "platform_admin" -> "platform-admin" in all six controllers + guardian.ex. The platform_admin?/1 function names keep underscores (Elixir identifiers can't contain hyphens) — only the role string changed. Verified: with a platform-admin token, /inventory, /billing/balance, /dashboard/margin and /drift all return 200. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -37,7 +37,7 @@ defmodule ArcadiaCloudWeb.BillingController do
|
||||
defp require_platform_admin(conn) do
|
||||
identity = conn.assigns.current_identity
|
||||
|
||||
if is_list(identity.roles) and "platform_admin" in identity.roles do
|
||||
if is_list(identity.roles) and "platform-admin" in identity.roles do
|
||||
:ok
|
||||
else
|
||||
conn
|
||||
|
||||
@@ -31,7 +31,7 @@ defmodule ArcadiaCloudWeb.DashboardController do
|
||||
defp require_platform_admin(conn) do
|
||||
identity = conn.assigns.current_identity
|
||||
|
||||
if is_list(identity.roles) and "platform_admin" in identity.roles do
|
||||
if is_list(identity.roles) and "platform-admin" in identity.roles do
|
||||
:ok
|
||||
else
|
||||
conn |> put_status(:forbidden) |> json(%{error: "platform_admin_required"}) |> halt()
|
||||
|
||||
@@ -126,7 +126,7 @@ defmodule ArcadiaCloudWeb.DeploymentController do
|
||||
end
|
||||
end
|
||||
|
||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
|
||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
|
||||
defp platform_admin?(_), do: false
|
||||
|
||||
defp shape(d) do
|
||||
|
||||
@@ -41,7 +41,7 @@ defmodule ArcadiaCloudWeb.DriftController do
|
||||
defp require_platform_admin(conn) do
|
||||
identity = conn.assigns.current_identity
|
||||
|
||||
if is_list(identity.roles) and "platform_admin" in identity.roles do
|
||||
if is_list(identity.roles) and "platform-admin" in identity.roles do
|
||||
:ok
|
||||
else
|
||||
conn
|
||||
|
||||
@@ -35,7 +35,7 @@ defmodule ArcadiaCloudWeb.InventoryController do
|
||||
json(conn, %{resources: resources, count: length(resources)})
|
||||
end
|
||||
|
||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
|
||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
|
||||
defp platform_admin?(_), do: false
|
||||
|
||||
defp maybe_put(opts, _key, nil), do: opts
|
||||
|
||||
@@ -36,7 +36,7 @@ defmodule ArcadiaCloudWeb.InvoiceController do
|
||||
end
|
||||
end
|
||||
|
||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
|
||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
|
||||
defp platform_admin?(_), do: false
|
||||
|
||||
defp shape(i) do
|
||||
|
||||
Reference in New Issue
Block a user