diff --git a/backend/src/common/guards/write-access.guard.ts b/backend/src/common/guards/write-access.guard.ts
index bd12619..f0b4e91 100644
--- a/backend/src/common/guards/write-access.guard.ts
+++ b/backend/src/common/guards/write-access.guard.ts
@@ -13,9 +13,10 @@ export class WriteAccessGuard implements CanActivate {
     // Allow all read methods
     if (['GET', 'HEAD', 'OPTIONS'].includes(method)) return true;
 
-    // If no user on request (unauthenticated endpoints like login/register), allow
-    const user = request.user;
-    if (!user) return true;
+    // Determine role from either req.userRole (set by TenantMiddleware which runs
+    // before guards) or req.user.role (set by JwtAuthGuard Passport strategy).
+    const role = request.userRole || request.user?.role;
+    if (!role) return true; // unauthenticated endpoints like login/register
 
     // Check for @AllowViewer() exemption on handler or class
     const allowViewer = this.reflector.getAllAndOverride<boolean>(ALLOW_VIEWER_KEY, [
@@ -25,7 +26,7 @@ export class WriteAccessGuard implements CanActivate {
     if (allowViewer) return true;
 
     // Block viewer role from write operations
-    if (user.role === 'viewer') {
+    if (role === 'viewer') {
       throw new ForbiddenException('Read-only users cannot modify data');
     }