refactor(rbac): use Role.is_org_admin property and fix empty scopes edge case

Author: jordan-umusu

tracecat/auth/credentials.py

@@ -113,7 +113,7 @@ def compute_effective_scopes(role: Role) -> frozenset[str]:
     if role.workspace_id and role.workspace_role:
         # Org admins/owners already have workspace scopes via their org role
         # Regular members need their workspace role scopes
-        if role.org_role not in (OrgRole.OWNER, OrgRole.ADMIN):
+        if not role.is_org_admin:
             scope_set |= PRESET_ROLE_SCOPES.get(role.workspace_role, set())
 
     # Note: Group-based scopes (from group_assignment table) will be added in PR 4

tracecat/authz/controls.py

@@ -264,6 +264,10 @@ async def admin_operation(...):
     required = set(scopes)
 
     def check_scopes():
+        # Empty required scopes means no restrictions
+        if not required:
+            return
+
         user_scopes = ctx_scopes.get()
 
         # Platform superuser has "*" scope - bypass all checks