feat: Enhance role-based access control for project and service listings

project-service/src/main/java/com/techtorque/project_service/config/GatewayHeaderFilter.java

@@ -26,7 +26,19 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
     if (userId != null && !userId.isEmpty()) {
       List<SimpleGrantedAuthority> authorities = rolesHeader == null ? Collections.emptyList() :
               Arrays.stream(rolesHeader.split(","))
-                      .map(role -> new SimpleGrantedAuthority("ROLE_" + role.trim().toUpperCase()))
+                      .map(role -> {
+                        String roleUpper = role.trim().toUpperCase();
+                        // Treat SUPER_ADMIN as ADMIN for authorization purposes
+                        if ("SUPER_ADMIN".equals(roleUpper)) {
+                          // Add both SUPER_ADMIN and ADMIN roles
+                          return Arrays.asList(
+                            new SimpleGrantedAuthority("ROLE_SUPER_ADMIN"),
+                            new SimpleGrantedAuthority("ROLE_ADMIN")
+                          );
+                        }
+                        return Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + roleUpper));
+                      })
+                      .flatMap(List::stream)
                       .collect(Collectors.toList());
 
       UsernamePasswordAuthenticationToken authentication =

project-service/src/main/java/com/techtorque/project_service/controller/ProjectController.java

@@ -43,9 +43,21 @@ public ResponseEntity<ApiResponse> requestModification(
 
   @Operation(summary = "List projects for the current customer")
   @GetMapping
-  @PreAuthorize("hasRole('CUSTOMER')")
-  public ResponseEntity<ApiResponse> listCustomerProjects(@RequestHeader("X-User-Subject") String customerId) {
-    List<Project> projects = projectService.getProjectsForCustomer(customerId);
+  @PreAuthorize("hasAnyRole('CUSTOMER', 'ADMIN', 'EMPLOYEE')")
+  public ResponseEntity<ApiResponse> listCustomerProjects(
+          @RequestHeader("X-User-Subject") String userId,
+          @RequestHeader("X-User-Roles") String roles) {
+
+    List<Project> projects;
+
+    // Admin and Employee can see all projects
+    if (roles.contains("ADMIN") || roles.contains("EMPLOYEE")) {
+      projects = projectService.getAllProjects();
+    } else {
+      // Customer sees only their own projects
+      projects = projectService.getProjectsForCustomer(userId);
+    }
+
     List<ProjectResponseDto> response = projects.stream()
             .map(this::mapToResponseDto)
             .collect(Collectors.toList());

project-service/src/main/java/com/techtorque/project_service/controller/ServiceController.java

@@ -42,11 +42,34 @@ public ResponseEntity<ApiResponse> createService(
 
   @Operation(summary = "List services for the current customer")
   @GetMapping
-  @PreAuthorize("hasRole('CUSTOMER')")
+  @PreAuthorize("hasAnyRole('CUSTOMER', 'ADMIN', 'EMPLOYEE')")
   public ResponseEntity<ApiResponse> listCustomerServices(
-          @RequestHeader("X-User-Subject") String customerId,
+          @RequestHeader("X-User-Subject") String userId,
+          @RequestHeader("X-User-Roles") String roles,
           @RequestParam(required = false) String status) {
-    List<StandardService> services = standardServiceService.getServicesForCustomer(customerId, status);
+
+    List<StandardService> services;
+
+    // Admin and Employee can see all services
+    if (roles.contains("ADMIN") || roles.contains("EMPLOYEE")) {
+      services = standardServiceService.getAllServices();
+      // Apply status filter if provided
+      if (status != null && !status.isEmpty()) {
+        try {
+          com.techtorque.project_service.entity.ServiceStatus statusEnum = 
+              com.techtorque.project_service.entity.ServiceStatus.valueOf(status.toUpperCase());
+          services = services.stream()
+              .filter(s -> s.getStatus() == statusEnum)
+              .collect(Collectors.toList());
+        } catch (IllegalArgumentException e) {
+          // Invalid status, ignore filter
+        }
+      }
+    } else {
+      // Customer sees only their own services
+      services = standardServiceService.getServicesForCustomer(userId, status);
+    }
+
     List<ServiceResponseDto> response = services.stream()
             .map(this::mapToServiceResponseDto)
             .collect(Collectors.toList());

project-service/src/main/java/com/techtorque/project_service/service/StandardServiceService.java

@@ -13,6 +13,8 @@ public interface StandardServiceService {
   StandardService createServiceFromAppointment(CreateServiceDto dto, String employeeId);
 
   List<StandardService> getServicesForCustomer(String customerId, String status);
+
+  List<StandardService> getAllServices(); // For admin/employee to see all services
 
   Optional<StandardService> getServiceDetails(String serviceId, String userId, String userRole);
 

project-service/src/main/java/com/techtorque/project_service/service/impl/StandardServiceServiceImpl.java

@@ -77,6 +77,13 @@ public List<StandardService> getServicesForCustomer(String customerId, String st
     return services;
   }
 
+  @Override
+  @Transactional(readOnly = true)
+  public List<StandardService> getAllServices() {
+    log.info("Fetching all services (admin/employee access)");
+    return serviceRepository.findAll();
+  }
+
   @Override
   public Optional<StandardService> getServiceDetails(String serviceId, String userId, String userRole) {
     log.info("Fetching service {} for user: {} with role: {}", serviceId, userId, userRole);