From 0d5949ba46af19587feee3cec82b24279e333876 Mon Sep 17 00:00:00 2001
From: ytqh <yutianqiuhao@gmail.com>
Date: Wed, 2 Jul 2025 16:21:33 +0800
Subject: [PATCH] Allow owner and admin roles to access admin API endpoints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Modified admin API authentication to accept OWNER and ADMIN roles in addition to END_ADMIN
- This allows the same account to manage apps in Dify console and access admin statistics
- Fixes 401 errors when accessing admin platform with owner account

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 api/controllers/admin/wraps.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/api/controllers/admin/wraps.py b/api/controllers/admin/wraps.py
index 65615b4856..da53af1272 100644
--- a/api/controllers/admin/wraps.py
+++ b/api/controllers/admin/wraps.py
@@ -43,8 +43,13 @@ def validate_admin_token_and_extract_info(view: Optional[Callable] = None):
                 raise Unauthorized("Invalid token: user not found")
             if account.status != AccountStatus.ACTIVE:
                 raise Unauthorized("Invalid token: account is not active")
-            if account.current_role != TenantAccountJoinRole.END_ADMIN.value:
-                raise Unauthorized("Invalid token: account is not end admin")
+            allowed_roles = [
+                TenantAccountJoinRole.END_ADMIN.value,
+                TenantAccountJoinRole.OWNER.value,
+                TenantAccountJoinRole.ADMIN.value
+            ]
+            if account.current_role not in allowed_roles:
+                raise Unauthorized("Invalid token: account does not have admin privileges")
 
             app_id = request.headers.get("X-App-Id")
             if not app_id: