game-stream: allow portal admin access

ariadne/app_game_routes.py

@@ -50,6 +50,8 @@ def _is_game_stream_admin(module: Any, ctx: AuthContext) -> bool:
 
 def _require_game_stream_access(module: Any, ctx: AuthContext) -> dict[str, Any]:
     profile = module.game_stream_profiles.profile_for(ctx.username or "", ctx.groups)
+    if not profile.get("allowed") and _is_game_stream_admin(module, ctx):
+        profile = {**profile, "allowed": True}
     if not profile.get("allowed"):
         raise HTTPException(status_code=403, detail="forbidden")
     return profile

tests/unit/app/test_app_game_routes.py

@@ -159,6 +159,20 @@ def test_game_stream_status_for_user(monkeypatch) -> None:
     assert data["wolf"]["pending_pair_requests"][0]["pair_secret"] == "secret-1"
 
 
+def test_game_stream_status_allows_portal_admin_user_without_groups(monkeypatch) -> None:
+    ctx = AuthContext(username="bstein", email="", groups=[], claims={})
+    client = _client(monkeypatch, ctx)
+    monkeypatch.setattr(app_module, "wolf_api", DummyWolfApi())
+    monkeypatch.setattr(app_module, "wolf_gatekeeper", DummyGatekeeper())
+    monkeypatch.setattr(app_module.game_mode, "status", lambda: {"status": "idle", "active": False, "workloads": []})
+
+    resp = client.get("/api/game-stream/status?source_ip=1.2.3.4", headers={"Authorization": "Bearer token"})
+
+    assert resp.status_code == 200
+    assert resp.json()["profile"]["allowed"] is True
+    assert resp.json()["can_control_gpu"] is True
+
+
 def test_game_stream_status_edges(monkeypatch) -> None:
     ctx = AuthContext(username="olya", email="", groups=["game-stream-users"], claims={})
     client = _client(monkeypatch, ctx)