Filter user lists by role hierarchy

src/main/kotlin/com/android/trisolarisserver/controller/property/Properties.kt

@@ -101,8 +101,14 @@ class Properties(
         requirePrincipal(principal)
         propertyAccess.requireMember(propertyId, principal!!.userId)
         propertyAccess.requireAnyRole(propertyId, principal.userId, Role.ADMIN, Role.MANAGER)
-        val users = propertyUserRepo.findByIdPropertyId(propertyId)
+        val actorUser = appUserRepo.findById(principal.userId).orElse(null)
-        return users.filter { it.id.userId != principal.userId }.map {
+        val actorRoles = propertyUserRepo.findRolesByPropertyAndUser(propertyId, principal.userId)
+        val actorRank = rankForUser(actorUser?.superAdmin == true, actorRoles)
+        val users = propertyUserRepo.findByPropertyIdWithUser(propertyId)
+        return users
+            .filter { it.id.userId != principal.userId }
+            .filter { actorRank >= rankForUser(it.user.superAdmin, it.roles) }
+            .map {
             PropertyUserResponse(
                 userId = it.id.userId!!,
                 propertyId = it.id.propertyId!!,
@@ -271,6 +277,20 @@ class Properties(
             throw ResponseStatusException(HttpStatus.BAD_REQUEST, "Unknown transport mode")
         }
     }
+
+    private fun rankForUser(isSuperAdmin: Boolean, roles: Set<Role>): Int {
+        if (isSuperAdmin) return 500
+        return roles.maxOfOrNull { roleRank(it) } ?: 0
+    }
+
+    private fun roleRank(role: Role): Int {
+        return when (role) {
+            Role.ADMIN -> 400
+            Role.MANAGER -> 300
+            Role.STAFF, Role.HOUSEKEEPING, Role.FINANCE, Role.SUPERVISOR, Role.GUIDE -> 200
+            Role.AGENT -> 100
+        }
+    }
 }
 
 private fun Property.toResponse(): PropertyResponse {

src/main/kotlin/com/android/trisolarisserver/controller/property/UserDirectory.kt

@@ -56,13 +56,20 @@ class UserDirectory(
         propertyAccess.requireMember(propertyId, resolved.userId)
         propertyAccess.requireAnyRole(propertyId, resolved.userId, Role.ADMIN)
 
+        val actorUser = appUserRepo.findById(resolved.userId).orElse(null)
+        val actorRoles = propertyUserRepo.findRolesByPropertyAndUser(propertyId, resolved.userId)
+        val actorRank = rankForUser(actorUser?.superAdmin == true, actorRoles)
+
         val digits = phone?.filter { it.isDigit() }.orEmpty()
         val users = when {
             phone == null -> propertyUserRepo.findByPropertyIdWithUser(propertyId)
             digits.length < 6 -> return emptyList()
             else -> propertyUserRepo.findByPropertyIdAndPhoneLike(propertyId, digits)
         }
-        return users.filter { it.id.userId != resolved.userId }.map {
+        return users
+            .filter { it.id.userId != resolved.userId }
+            .filter { actorRank >= rankForUser(it.user.superAdmin, it.roles) }
+            .map {
             val user = it.user
             PropertyUserDetailsResponse(
                 userId = it.id.userId!!,
@@ -75,4 +82,18 @@ class UserDirectory(
             )
         }
     }
+
+    private fun rankForUser(isSuperAdmin: Boolean, roles: Set<Role>): Int {
+        if (isSuperAdmin) return 500
+        return roles.maxOfOrNull { roleRank(it) } ?: 0
+    }
+
+    private fun roleRank(role: Role): Int {
+        return when (role) {
+            Role.ADMIN -> 400
+            Role.MANAGER -> 300
+            Role.STAFF, Role.HOUSEKEEPING, Role.FINANCE, Role.SUPERVISOR, Role.GUIDE -> 200
+            Role.AGENT -> 100
+        }
+    }
 }