Restrict booking list to non-agent roles

src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt

@@ -136,7 +136,16 @@ class BookingFlow(
         @AuthenticationPrincipal principal: MyPrincipal?,
         @RequestParam(required = false) status: String?
     ): List<BookingListItem> {
-        requireMember(propertyAccess, propertyId, principal)
+        requireRole(
+            propertyAccess,
+            propertyId,
+            principal,
+            Role.ADMIN,
+            Role.MANAGER,
+            Role.STAFF,
+            Role.HOUSEKEEPING,
+            Role.FINANCE
+        )
         val statuses = parseStatuses(status)
         val bookings = if (statuses.isEmpty()) {
             bookingRepo.findByPropertyIdOrderByCreatedAtDesc(propertyId)