Restrict issued card list to non-agent roles

src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt

@@ -134,7 +134,7 @@ class IssuedCards(
         @PathVariable roomStayId: UUID,
         @AuthenticationPrincipal principal: MyPrincipal?
     ): List<IssuedCardResponse> {
-        requireMember(propertyId, principal)
+        requireViewActor(propertyId, principal)
         val stay = roomStayRepo.findById(roomStayId).orElseThrow {
             ResponseStatusException(HttpStatus.NOT_FOUND, "Room stay not found")
         }
@@ -177,6 +177,23 @@ class IssuedCards(
         propertyAccess.requireMember(propertyId, principal.userId)
     }
 
+    private fun requireViewActor(propertyId: UUID, principal: MyPrincipal?) {
+        if (principal == null) {
+            throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Missing principal")
+        }
+        propertyAccess.requireAnyRole(
+            propertyId,
+            principal.userId,
+            Role.ADMIN,
+            Role.MANAGER,
+            Role.STAFF,
+            Role.HOUSEKEEPING,
+            Role.FINANCE,
+            Role.GUIDE,
+            Role.SUPERVISOR
+        )
+    }
+
     private fun requireIssueActor(propertyId: UUID, principal: MyPrincipal?): com.android.trisolarisserver.models.property.AppUser {
         if (principal == null) {
             throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Missing principal")