Fix operator role gate: platform-admin (hyphen), not platform_admin
arcadia-app issues the role slug "platform-admin" (hyphen) — confirmed from a live arcadia-dev JWT (roles: ["admin","platform-admin"]). Every authorization check here tested for "platform_admin" (underscore), so real operator tokens got 403 on billing / dashboard / drift and an empty tenant-scoped result on inventory. The smoke tests missed it because Guardian.mint_dev_token hardcoded the underscore form — fixed there too, so the dev helper now matches what arcadia-app actually emits. Replaced the string literal "platform_admin" -> "platform-admin" in all six controllers + guardian.ex. The platform_admin?/1 function names keep underscores (Elixir identifiers can't contain hyphens) — only the role string changed. Verified: with a platform-admin token, /inventory, /billing/balance, /dashboard/margin and /drift all return 200. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -44,7 +44,7 @@ defmodule ArcadiaCloud.Guardian do
|
|||||||
"tenant_id" => "tenant-dev",
|
"tenant_id" => "tenant-dev",
|
||||||
"tenant_slug" => "dev",
|
"tenant_slug" => "dev",
|
||||||
"email" => "dev@example.com",
|
"email" => "dev@example.com",
|
||||||
"roles" => ["platform_admin"]
|
"roles" => ["platform-admin"]
|
||||||
}
|
}
|
||||||
|
|
||||||
claims = Map.merge(defaults, claims_overrides)
|
claims = Map.merge(defaults, claims_overrides)
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ defmodule ArcadiaCloudWeb.BillingController do
|
|||||||
defp require_platform_admin(conn) do
|
defp require_platform_admin(conn) do
|
||||||
identity = conn.assigns.current_identity
|
identity = conn.assigns.current_identity
|
||||||
|
|
||||||
if is_list(identity.roles) and "platform_admin" in identity.roles do
|
if is_list(identity.roles) and "platform-admin" in identity.roles do
|
||||||
:ok
|
:ok
|
||||||
else
|
else
|
||||||
conn
|
conn
|
||||||
|
|||||||
@@ -31,7 +31,7 @@ defmodule ArcadiaCloudWeb.DashboardController do
|
|||||||
defp require_platform_admin(conn) do
|
defp require_platform_admin(conn) do
|
||||||
identity = conn.assigns.current_identity
|
identity = conn.assigns.current_identity
|
||||||
|
|
||||||
if is_list(identity.roles) and "platform_admin" in identity.roles do
|
if is_list(identity.roles) and "platform-admin" in identity.roles do
|
||||||
:ok
|
:ok
|
||||||
else
|
else
|
||||||
conn |> put_status(:forbidden) |> json(%{error: "platform_admin_required"}) |> halt()
|
conn |> put_status(:forbidden) |> json(%{error: "platform_admin_required"}) |> halt()
|
||||||
|
|||||||
@@ -126,7 +126,7 @@ defmodule ArcadiaCloudWeb.DeploymentController do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
|
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
|
||||||
defp platform_admin?(_), do: false
|
defp platform_admin?(_), do: false
|
||||||
|
|
||||||
defp shape(d) do
|
defp shape(d) do
|
||||||
|
|||||||
@@ -41,7 +41,7 @@ defmodule ArcadiaCloudWeb.DriftController do
|
|||||||
defp require_platform_admin(conn) do
|
defp require_platform_admin(conn) do
|
||||||
identity = conn.assigns.current_identity
|
identity = conn.assigns.current_identity
|
||||||
|
|
||||||
if is_list(identity.roles) and "platform_admin" in identity.roles do
|
if is_list(identity.roles) and "platform-admin" in identity.roles do
|
||||||
:ok
|
:ok
|
||||||
else
|
else
|
||||||
conn
|
conn
|
||||||
|
|||||||
@@ -35,7 +35,7 @@ defmodule ArcadiaCloudWeb.InventoryController do
|
|||||||
json(conn, %{resources: resources, count: length(resources)})
|
json(conn, %{resources: resources, count: length(resources)})
|
||||||
end
|
end
|
||||||
|
|
||||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
|
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
|
||||||
defp platform_admin?(_), do: false
|
defp platform_admin?(_), do: false
|
||||||
|
|
||||||
defp maybe_put(opts, _key, nil), do: opts
|
defp maybe_put(opts, _key, nil), do: opts
|
||||||
|
|||||||
@@ -36,7 +36,7 @@ defmodule ArcadiaCloudWeb.InvoiceController do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
|
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
|
||||||
defp platform_admin?(_), do: false
|
defp platform_admin?(_), do: false
|
||||||
|
|
||||||
defp shape(i) do
|
defp shape(i) do
|
||||||
|
|||||||
Reference in New Issue
Block a user