From 3adffb58970bbe93f90fe1b80375d5e9ff1d0ab2 Mon Sep 17 00:00:00 2001
From: XuqmGroup <noreply@xuqm.com>
Date: Sun, 3 May 2026 11:23:15 +0800
Subject: [PATCH] fix(im): allow tenant admin to access IM admin APIs (kick,
 batch-send, read, import, user-state)

- Change @PreAuthorize from hasAuthority('ROLE_OPS') to hasAnyAuthority('ROLE_OPS', 'ROLE_TENANT') for 5 daily-operation endpoints
- Keep sensitive endpoints (delete, config, webhook) ROLE_OPS only
---
 .../java/com/xuqm/im/controller/ImAdminController.java | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/im-service/src/main/java/com/xuqm/im/controller/ImAdminController.java b/im-service/src/main/java/com/xuqm/im/controller/ImAdminController.java
index 3cbb092..4a02265 100644
--- a/im-service/src/main/java/com/xuqm/im/controller/ImAdminController.java
+++ b/im-service/src/main/java/com/xuqm/im/controller/ImAdminController.java
@@ -670,7 +670,7 @@ public class ImAdminController {
     }
 
     @GetMapping("/users/state")
-    @PreAuthorize("hasAuthority('ROLE_OPS')")
+    @PreAuthorize("hasAnyAuthority('ROLE_OPS', 'ROLE_TENANT')")
     public ResponseEntity<ApiResponse<Map<String, Object>>> queryUserState(
             @RequestParam String userIds) {
         Map<String, Object> result = new LinkedHashMap<>();
@@ -687,7 +687,7 @@ public class ImAdminController {
     }
 
     @PostMapping("/users/kick")
-    @PreAuthorize("hasAuthority('ROLE_OPS')")
+    @PreAuthorize("hasAnyAuthority('ROLE_OPS', 'ROLE_TENANT')")
     public ResponseEntity<ApiResponse<Void>> kickUsers(
             @RequestParam String appId,
             @AuthenticationPrincipal String operatorId,
@@ -703,7 +703,7 @@ public class ImAdminController {
     }
 
     @PostMapping("/messages/batch-send")
-    @PreAuthorize("hasAuthority('ROLE_OPS')")
+    @PreAuthorize("hasAnyAuthority('ROLE_OPS', 'ROLE_TENANT')")
     public ResponseEntity<ApiResponse<List<ImMessageEntity>>> batchSendMsg(
             @RequestParam String appId,
             @AuthenticationPrincipal String operatorId,
@@ -719,7 +719,7 @@ public class ImAdminController {
     }
 
     @PostMapping("/messages/read")
-    @PreAuthorize("hasAuthority('ROLE_OPS')")
+    @PreAuthorize("hasAnyAuthority('ROLE_OPS', 'ROLE_TENANT')")
     public ResponseEntity<ApiResponse<Void>> adminSetMsgRead(
             @RequestParam String appId,
             @AuthenticationPrincipal String operatorId,
@@ -730,7 +730,7 @@ public class ImAdminController {
     }
 
     @PostMapping("/messages/import")
-    @PreAuthorize("hasAuthority('ROLE_OPS')")
+    @PreAuthorize("hasAnyAuthority('ROLE_OPS', 'ROLE_TENANT')")
     public ResponseEntity<ApiResponse<List<ImMessageEntity>>> importMessages(
             @RequestParam String appId,
             @AuthenticationPrincipal String operatorId,