From 6001b009cdafaafe2cb987f54af7bc6885ac453b Mon Sep 17 00:00:00 2001
From: androidlover5842 <androidlover5842@gmail.com>
Date: Wed, 28 Jan 2026 05:58:40 +0530
Subject: [PATCH] Restrict issued card list to non-agent roles

---
 .../controller/IssuedCards.kt                 | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt b/src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt
index bc31287..5043654 100644
--- a/src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt
@@ -134,7 +134,7 @@ class IssuedCards(
         @PathVariable roomStayId: UUID,
         @AuthenticationPrincipal principal: MyPrincipal?
     ): List<IssuedCardResponse> {
-        requireMember(propertyId, principal)
+        requireViewActor(propertyId, principal)
         val stay = roomStayRepo.findById(roomStayId).orElseThrow {
             ResponseStatusException(HttpStatus.NOT_FOUND, "Room stay not found")
         }
@@ -177,6 +177,23 @@ class IssuedCards(
         propertyAccess.requireMember(propertyId, principal.userId)
     }
 
+    private fun requireViewActor(propertyId: UUID, principal: MyPrincipal?) {
+        if (principal == null) {
+            throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Missing principal")
+        }
+        propertyAccess.requireAnyRole(
+            propertyId,
+            principal.userId,
+            Role.ADMIN,
+            Role.MANAGER,
+            Role.STAFF,
+            Role.HOUSEKEEPING,
+            Role.FINANCE,
+            Role.GUIDE,
+            Role.SUPERVISOR
+        )
+    }
+
     private fun requireIssueActor(propertyId: UUID, principal: MyPrincipal?): com.android.trisolarisserver.models.property.AppUser {
         if (principal == null) {
             throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Missing principal")