From fa19a566605fa54e4cc7b63a8e4a7387b46dbfc4 Mon Sep 17 00:00:00 2001
From: ytqh <yutianqiuhao@gmail.com>
Date: Wed, 2 Jul 2025 18:04:01 +0800
Subject: [PATCH] Fix admin validation to check organization_members instead of
 tenant_account_joins
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace TenantAccountJoinRole check with OrganizationMember role check
- Use OrganizationRole.ADMIN to validate admin privileges
- Query organization_members table using account's current_organization_id
- This fixes the issue where super_admin@test.edu couldn't login despite having admin role

The previous validation was checking the wrong role system (tenant roles vs organization roles).
Now it correctly validates against the organization membership role.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 api/controllers/admin/wraps.py | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/api/controllers/admin/wraps.py b/api/controllers/admin/wraps.py
index da53af1272..2a1457c792 100644
--- a/api/controllers/admin/wraps.py
+++ b/api/controllers/admin/wraps.py
@@ -8,7 +8,8 @@ from werkzeug.exceptions import Forbidden, Unauthorized
 from configs import dify_config
 from extensions.ext_database import db
 from libs.passport import PassportService
-from models.account import AccountStatus, Tenant, TenantAccountJoinRole, TenantStatus
+from models.account import AccountStatus, Tenant, TenantStatus
+from models.organization import OrganizationMember, OrganizationRole
 from models.model import App
 from services.account_service import AccountService
 
@@ -43,12 +44,18 @@ def validate_admin_token_and_extract_info(view: Optional[Callable] = None):
                 raise Unauthorized("Invalid token: user not found")
             if account.status != AccountStatus.ACTIVE:
                 raise Unauthorized("Invalid token: account is not active")
-            allowed_roles = [
-                TenantAccountJoinRole.END_ADMIN.value,
-                TenantAccountJoinRole.OWNER.value,
-                TenantAccountJoinRole.ADMIN.value
-            ]
-            if account.current_role not in allowed_roles:
+            
+            # Check if user has admin role in their current organization
+            org_member = db.session.query(OrganizationMember).filter(
+                OrganizationMember.account_id == user_id,
+                OrganizationMember.organization_id == account.current_organization_id
+            ).first()
+            
+            if not org_member:
+                raise Unauthorized("Invalid token: user is not a member of any organization")
+            
+            # Check if the user has admin role
+            if org_member.role != OrganizationRole.ADMIN:
                 raise Unauthorized("Invalid token: account does not have admin privileges")
 
             app_id = request.headers.get("X-App-Id")