From 52f9b94031b19b9046b0dabf1de61d0593d1ca84 Mon Sep 17 00:00:00 2001
From: androidlover5842 <androidlover5842@gmail.com>
Date: Thu, 29 Jan 2026 09:50:19 +0530
Subject: [PATCH] Restrict booking list to non-agent roles

---
 .../trisolarisserver/controller/BookingFlow.kt        | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt b/src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt
index 0ba36c4..935e347 100644
--- a/src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt
@@ -136,7 +136,16 @@ class BookingFlow(
         @AuthenticationPrincipal principal: MyPrincipal?,
         @RequestParam(required = false) status: String?
     ): List<BookingListItem> {
-        requireMember(propertyAccess, propertyId, principal)
+        requireRole(
+            propertyAccess,
+            propertyId,
+            principal,
+            Role.ADMIN,
+            Role.MANAGER,
+            Role.STAFF,
+            Role.HOUSEKEEPING,
+            Role.FINANCE
+        )
         val statuses = parseStatuses(status)
         val bookings = if (statuses.isEmpty()) {
             bookingRepo.findByPropertyIdOrderByCreatedAtDesc(propertyId)