Fix operator role gate: platform-admin (hyphen), not platform_admin

arcadia-app issues the role slug "platform-admin" (hyphen) — confirmed
from a live arcadia-dev JWT (roles: ["admin","platform-admin"]). Every
authorization check here tested for "platform_admin" (underscore), so
real operator tokens got 403 on billing / dashboard / drift and an
empty tenant-scoped result on inventory.

The smoke tests missed it because Guardian.mint_dev_token hardcoded the
underscore form — fixed there too, so the dev helper now matches what
arcadia-app actually emits.

Replaced the string literal "platform_admin" -> "platform-admin" in all
six controllers + guardian.ex. The platform_admin?/1 function names keep
underscores (Elixir identifiers can't contain hyphens) — only the role
string changed.

Verified: with a platform-admin token, /inventory, /billing/balance,
/dashboard/margin and /drift all return 200.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-20 18:17:13 +10:00
parent 741692c7d7
commit c10b847324
7 changed files with 7 additions and 7 deletions

View File

@@ -126,7 +126,7 @@ defmodule ArcadiaCloudWeb.DeploymentController do
end
end
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
defp platform_admin?(_), do: false
defp shape(d) do