Fix operator role gate: platform-admin (hyphen), not platform_admin

arcadia-app issues the role slug "platform-admin" (hyphen) — confirmed
from a live arcadia-dev JWT (roles: ["admin","platform-admin"]). Every
authorization check here tested for "platform_admin" (underscore), so
real operator tokens got 403 on billing / dashboard / drift and an
empty tenant-scoped result on inventory.

The smoke tests missed it because Guardian.mint_dev_token hardcoded the
underscore form — fixed there too, so the dev helper now matches what
arcadia-app actually emits.

Replaced the string literal "platform_admin" -> "platform-admin" in all
six controllers + guardian.ex. The platform_admin?/1 function names keep
underscores (Elixir identifiers can't contain hyphens) — only the role
string changed.

Verified: with a platform-admin token, /inventory, /billing/balance,
/dashboard/margin and /drift all return 200.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-20 18:17:13 +10:00
parent 741692c7d7
commit c10b847324
7 changed files with 7 additions and 7 deletions

View File

@@ -44,7 +44,7 @@ defmodule ArcadiaCloud.Guardian do
"tenant_id" => "tenant-dev",
"tenant_slug" => "dev",
"email" => "dev@example.com",
"roles" => ["platform_admin"]
"roles" => ["platform-admin"]
}
claims = Map.merge(defaults, claims_overrides)

View File

@@ -37,7 +37,7 @@ defmodule ArcadiaCloudWeb.BillingController do
defp require_platform_admin(conn) do
identity = conn.assigns.current_identity
if is_list(identity.roles) and "platform_admin" in identity.roles do
if is_list(identity.roles) and "platform-admin" in identity.roles do
:ok
else
conn

View File

@@ -31,7 +31,7 @@ defmodule ArcadiaCloudWeb.DashboardController do
defp require_platform_admin(conn) do
identity = conn.assigns.current_identity
if is_list(identity.roles) and "platform_admin" in identity.roles do
if is_list(identity.roles) and "platform-admin" in identity.roles do
:ok
else
conn |> put_status(:forbidden) |> json(%{error: "platform_admin_required"}) |> halt()

View File

@@ -126,7 +126,7 @@ defmodule ArcadiaCloudWeb.DeploymentController do
end
end
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
defp platform_admin?(_), do: false
defp shape(d) do

View File

@@ -41,7 +41,7 @@ defmodule ArcadiaCloudWeb.DriftController do
defp require_platform_admin(conn) do
identity = conn.assigns.current_identity
if is_list(identity.roles) and "platform_admin" in identity.roles do
if is_list(identity.roles) and "platform-admin" in identity.roles do
:ok
else
conn

View File

@@ -35,7 +35,7 @@ defmodule ArcadiaCloudWeb.InventoryController do
json(conn, %{resources: resources, count: length(resources)})
end
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
defp platform_admin?(_), do: false
defp maybe_put(opts, _key, nil), do: opts

View File

@@ -36,7 +36,7 @@ defmodule ArcadiaCloudWeb.InvoiceController do
end
end
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform_admin" in roles
defp platform_admin?(%{roles: roles}) when is_list(roles), do: "platform-admin" in roles
defp platform_admin?(_), do: false
defp shape(i) do