fixes

modules/routes/routeDataMandates.py

@@ -343,6 +343,26 @@ def create_mandate(
 
 _MANDATE_ADMIN_EDITABLE_FIELDS = {"label"}
 
+def _isUserAdminOfMandate(userId: str, targetMandateId: str) -> bool:
+    """Check mandate-admin without RequestContext (avoids Header param conflicts)."""
+    try:
+        rootInterface = interfaceDbApp.getRootInterface()
+        userMandates = rootInterface.getUserMandates(userId)
+        for um in userMandates:
+            if str(getattr(um, 'mandateId', '')) != str(targetMandateId):
+                continue
+            umId = getattr(um, 'id', None)
+            if not umId:
+                continue
+            roleIds = rootInterface.getRoleIdsForUserMandate(str(umId))
+            for roleId in roleIds:
+                role = rootInterface.getRole(roleId)
+                if role and role.roleLabel == "admin" and not role.featureInstanceId:
+                    return True
+    except Exception as e:
+        logger.error(f"Error checking mandate admin: {e}")
+    return False
+
 @router.put("/{mandateId}", response_model=Mandate)
 @limiter.limit("10/minute")
 def update_mandate(
@@ -358,12 +378,11 @@ def update_mandate(
     - MandateAdmin: only label
     """
     from modules.auth import _hasSysAdminRole as _checkSysAdminRole
-    isSysAdmin = _checkSysAdminRole(str(currentUser.id))
+    userId = str(currentUser.id)
+    isSysAdmin = _checkSysAdminRole(userId)
     
     if not isSysAdmin:
-        context = getRequestContext(request, currentUser=currentUser)
+        if not _isUserAdminOfMandate(userId, mandateId):
-        isMandateAdmin = _hasMandateAdminRole(context, mandateId)
-        if not isMandateAdmin:
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail=routeApiMsg("Admin role required to update mandate")