From 89cc11e41eb00c37b2556757ea730b03fadc96e9 Mon Sep 17 00:00:00 2001
From: Md Bayazid  Bostame <bostame@bostame-2349.local>
Date: Wed, 1 Apr 2026 13:30:17 +0200
Subject: [PATCH] fix: allow super admin customer platform apps

---
 backend/workflows/app_registry.py                |  4 ++--
 backend/workflows/roles.py                       |  4 ++--
 .../tests/test_app_registry_permissions.py       | 16 ++++++++++++++++
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/backend/workflows/app_registry.py b/backend/workflows/app_registry.py
index 3e9db5b..4c47176 100644
--- a/backend/workflows/app_registry.py
+++ b/backend/workflows/app_registry.py
@@ -212,13 +212,13 @@ DEFAULT_ROLE_VISIBILITY = {
         ROLE_STAFF: False,
     },
     'branding': {
-        ROLE_SUPER_ADMIN: False,
+        ROLE_SUPER_ADMIN: True,
         ROLE_ADMIN: False,
         ROLE_IT_STAFF: False,
         ROLE_STAFF: False,
     },
     'company_config': {
-        ROLE_SUPER_ADMIN: False,
+        ROLE_SUPER_ADMIN: True,
         ROLE_ADMIN: False,
         ROLE_IT_STAFF: False,
         ROLE_STAFF: False,
diff --git a/backend/workflows/roles.py b/backend/workflows/roles.py
index 9686f3d..a49385d 100644
--- a/backend/workflows/roles.py
+++ b/backend/workflows/roles.py
@@ -33,8 +33,8 @@ ROLE_LABELS = {
 CAPABILITIES = {
     # Platform-only capabilities stay above any customer-company admin role.
     'manage_users': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN},
-    'manage_product_branding': {ROLE_PLATFORM_OWNER},
-    'manage_company_config': {ROLE_PLATFORM_OWNER},
+    'manage_product_branding': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN},
+    'manage_company_config': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN},
     'manage_trial_lifecycle': {ROLE_PLATFORM_OWNER},
     'manage_app_registry': {ROLE_PLATFORM_OWNER},
     'access_requests_dashboard': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF, ROLE_STAFF},
diff --git a/backend/workflows/tests/test_app_registry_permissions.py b/backend/workflows/tests/test_app_registry_permissions.py
index 48629bd..0db1603 100644
--- a/backend/workflows/tests/test_app_registry_permissions.py
+++ b/backend/workflows/tests/test_app_registry_permissions.py
@@ -41,6 +41,13 @@ class AppRegistryPermissionTests(TestCase):
         self.assertNotIn('trial_management', self._visible_keys(self.super_admin))
         self.assertNotIn('trial_management', self._visible_keys(self.admin))
 
+    def test_super_admin_sees_branding_and_company_config_but_not_app_registry(self):
+        keys = self._visible_keys(self.super_admin)
+
+        self.assertIn('branding', keys)
+        self.assertIn('company_config', keys)
+        self.assertNotIn('app_registry', keys)
+
     def test_requests_dashboard_can_be_hidden_from_staff_via_registry(self):
         config = PortalAppConfig.objects.get(key='requests_dashboard')
         config.visible_to_staff = False
@@ -63,3 +70,12 @@ class AppRegistryPermissionTests(TestCase):
         response = self.client.get(reverse('portal_app_registry_page'))
 
         self.assertEqual(response.status_code, 200)
+
+    def test_super_admin_can_open_branding_and_company_config_pages(self):
+        self.client.force_login(self.super_admin)
+
+        branding_response = self.client.get(reverse('portal_branding_page'))
+        company_response = self.client.get(reverse('portal_company_config_page'))
+
+        self.assertEqual(branding_response.status_code, 200)
+        self.assertEqual(company_response.status_code, 200)