From 4aabda440fc3f0592f68293e41034d5bc0964913 Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Sat, 7 Mar 2026 05:45:59 -0800
Subject: [PATCH] fix(auth): allow platform_admin to manage tenant members and
 invites

Member/invite endpoints were restricted to 'admin' role only, blocking
platform_admin from accessing them on the tenant detail page (403).
Added platform_admin and platform_super_admin to all six endpoints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../interfaces/rest/controllers/tenant.controller.ts | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts b/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts
index ce2aee2..acf1633 100644
--- a/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts
+++ b/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts
@@ -159,7 +159,7 @@ export class TenantController {
    * GET /api/v1/admin/tenants/:id/members
    */
   @Get(':id/members')
-  @Roles('admin')
+  @Roles('admin', 'platform_admin', 'platform_super_admin')
   async listMembers(@Param('id') id: string) {
     const tenant = await this.findTenantOrFail(id);
     const schemaName = `it0_t_${tenant.slug}`;
@@ -186,7 +186,7 @@ export class TenantController {
    * PATCH /api/v1/admin/tenants/:id/members/:memberId
    */
   @Patch(':id/members/:memberId')
-  @Roles('admin')
+  @Roles('admin', 'platform_admin', 'platform_super_admin')
   async updateMember(
     @Param('id') tenantId: string,
     @Param('memberId') memberId: string,
@@ -259,7 +259,7 @@ export class TenantController {
    * DELETE /api/v1/admin/tenants/:id/members/:memberId
    */
   @Delete(':id/members/:memberId')
-  @Roles('admin')
+  @Roles('admin', 'platform_admin', 'platform_super_admin')
   async removeMember(
     @Param('id') tenantId: string,
     @Param('memberId') memberId: string,
@@ -296,7 +296,7 @@ export class TenantController {
    * GET /api/v1/admin/tenants/:id/invites
    */
   @Get(':id/invites')
-  @Roles('admin')
+  @Roles('admin', 'platform_admin', 'platform_super_admin')
   async listInvites(@Param('id') id: string) {
     const tenant = await this.findTenantOrFail(id);
     const invites = await this.authService.listInvites(tenant.slug);
@@ -315,7 +315,7 @@ export class TenantController {
    * POST /api/v1/admin/tenants/:id/invites
    */
   @Post(':id/invites')
-  @Roles('admin')
+  @Roles('admin', 'platform_admin', 'platform_super_admin')
   async createInvite(
     @Param('id') id: string,
     @Body() body: { email: string; role?: string },
@@ -343,7 +343,7 @@ export class TenantController {
    * DELETE /api/v1/admin/tenants/:id/invites/:inviteId
    */
   @Delete(':id/invites/:inviteId')
-  @Roles('admin')
+  @Roles('admin', 'platform_admin', 'platform_super_admin')
   async revokeInvite(
     @Param('id') id: string,
     @Param('inviteId') inviteId: string,