salman/igny8
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(migrations): Rename indexes and update global integration settings fields for improved clarity and functionality

Browse Source 
feat(admin): Add API monitoring, debug console, and system health templates for enhanced admin interface

docs: Add AI system cleanup summary and audit report detailing architecture, token management, and recommendations

docs: Introduce credits and tokens system guide outlining configuration, data flow, and monitoring strategies
This commit is contained in:
IGNY8 VPS (Salman)
2025-12-20 12:55:05 +00:00
parent eb6cba7920
commit 3283a83b42
51 changed files with 3578 additions and 5434 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
backend/igny8_core/api/base.py
View File

@@ -21,21 +21,6 @@ class AccountModelViewSet(viewsets.ModelViewSet):
user = getattr(self.request, 'user', None)
if user and hasattr(user, 'is_authenticated') and user.is_authenticated:
# Bypass filtering for superusers - they can see everything
if getattr(user, 'is_superuser', False):
return queryset
# Bypass filtering for developers
if hasattr(user, 'role') and user.role == 'developer':
return queryset
# Bypass filtering for system account users
try:
if hasattr(user, 'is_system_account_user') and user.is_system_account_user():
return queryset
except Exception:
pass
try:
account = getattr(self.request, 'account', None)
if not account and hasattr(self.request, 'user') and self.request.user and hasattr(self.request.user, 'is_authenticated') and self.request.user.is_authenticated:
@@ -254,29 +239,6 @@ class SiteSectorModelViewSet(AccountModelViewSet):
# Check if user is authenticated and is a proper User instance (not AnonymousUser)
if user and hasattr(user, 'is_authenticated') and user.is_authenticated and hasattr(user, 'get_accessible_sites'):
# Bypass site filtering for superusers and developers
# They already got unfiltered queryset from parent AccountModelViewSet
if getattr(user, 'is_superuser', False) or (hasattr(user, 'role') and user.role == 'developer'):
# No site filtering for superuser/developer
# But still apply query param filters if provided
try:
query_params = getattr(self.request, 'query_params', None)
if query_params is None:
query_params = getattr(self.request, 'GET', {})
site_id = query_params.get('site_id') or query_params.get('site')
except AttributeError:
site_id = None
if site_id:
try:
site_id_int = int(site_id) if site_id else None
if site_id_int:
queryset = queryset.filter(site_id=site_id_int)
except (ValueError, TypeError):
pass
return queryset
try:
# Get user's accessible sites
accessible_sites = user.get_accessible_sites()

67
backend/igny8_core/api/permissions.py
View File

@@ -50,24 +50,6 @@ class HasTenantAccess(permissions.BasePermission):
logger.warning(f"[HasTenantAccess] DENIED: User not authenticated")
return False
# Bypass for superusers
if getattr(request.user, 'is_superuser', False):
logger.info(f"[HasTenantAccess] ALLOWED: User {request.user.email} is superuser")
return True
# Bypass for developers
if hasattr(request.user, 'role') and request.user.role == 'developer':
logger.info(f"[HasTenantAccess] ALLOWED: User {request.user.email} is developer")
return True
# Bypass for system account users
try:
if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user():
logger.info(f"[HasTenantAccess] ALLOWED: User {request.user.email} is system account user")
return True
except Exception:
pass
# SIMPLIFIED LOGIC: Every authenticated user MUST have an account
# Middleware already set request.account from request.user.account
# Just verify it exists
@@ -95,7 +77,6 @@ class IsViewerOrAbove(permissions.BasePermission):
"""
Permission class that requires viewer, editor, admin, or owner role
For read-only operations
Superusers and developers bypass this check.
"""
def has_permission(self, request, view):
import logging
@@ -105,16 +86,6 @@ class IsViewerOrAbove(permissions.BasePermission):
logger.warning(f"[IsViewerOrAbove] DENIED: User not authenticated")
return False
# Bypass for superusers
if getattr(request.user, 'is_superuser', False):
logger.info(f"[IsViewerOrAbove] ALLOWED: User {request.user.email} is superuser")
return True
# Bypass for developers
if hasattr(request.user, 'role') and request.user.role == 'developer':
logger.info(f"[IsViewerOrAbove] ALLOWED: User {request.user.email} is developer")
return True
# Check user role
if hasattr(request.user, 'role'):
role = request.user.role
@@ -135,20 +106,11 @@ class IsEditorOrAbove(permissions.BasePermission):
"""
Permission class that requires editor, admin, or owner role
For content operations
Superusers and developers bypass this check.
"""
def has_permission(self, request, view):
if not request.user or not request.user.is_authenticated:
return False
# Bypass for superusers
if getattr(request.user, 'is_superuser', False):
return True
# Bypass for developers
if hasattr(request.user, 'role') and request.user.role == 'developer':
return True
# Check user role
if hasattr(request.user, 'role'):
role = request.user.role
@@ -163,20 +125,11 @@ class IsAdminOrOwner(permissions.BasePermission):
"""
Permission class that requires admin or owner role only
For settings, keys, billing operations
Superusers and developers bypass this check.
"""
def has_permission(self, request, view):
if not request.user or not request.user.is_authenticated:
return False
# Bypass for superusers
if getattr(request.user, 'is_superuser', False):
return True
# Bypass for developers
if hasattr(request.user, 'role') and request.user.role == 'developer':
return True
# Check user role
if hasattr(request.user, 'role'):
role = request.user.role
@@ -185,23 +138,3 @@ class IsAdminOrOwner(permissions.BasePermission):
# If no role system, deny by default for security
return False
class IsSystemAccountOrDeveloper(permissions.BasePermission):
"""
Allow only system accounts (aws-admin/default-account/default) or developer role.
Use for sensitive, globally-scoped settings like integration API keys.
"""
def has_permission(self, request, view):
user = getattr(request, "user", None)
if not user or not user.is_authenticated:
return False
account_slug = getattr(getattr(user, "account", None), "slug", None)
if user.role == "developer":
return True
if account_slug in ["aws-admin", "default-account", "default"]:
return True
return False

13
backend/igny8_core/api/throttles.py
View File

@@ -27,19 +27,6 @@ class DebugScopedRateThrottle(ScopedRateThrottle):
return True
# OLD CODE BELOW (DISABLED)
# Bypass for superusers and developers
if request.user and hasattr(request.user, 'is_authenticated') and request.user.is_authenticated:
if getattr(request.user, 'is_superuser', False):
return True
if hasattr(request.user, 'role') and request.user.role == 'developer':
return True
# Bypass for system account users
try:
if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user():
return True
except Exception:
pass
# Check if throttling should be bypassed
debug_bypass = getattr(settings, 'DEBUG', False)
env_bypass = getattr(settings, 'IGNY8_DEBUG_THROTTLE', False)