feat(migrations): Rename indexes and update global integration settings fields for improved clarity and functionality

feat(admin): Add API monitoring, debug console, and system health templates for enhanced admin interface docs: Add AI system cleanup summary and audit report detailing architecture, token management, and recommendations docs: Introduce credits and tokens system guide outlining configuration, data flow, and monitoring strategies
2025-12-20 12:55:05 +00:00
parent eb6cba7920
commit 3283a83b42
51 changed files with 3578 additions and 5434 deletions
--- a/backend/igny8_core/api/permissions.py
+++ b/backend/igny8_core/api/permissions.py
@@ -50,24 +50,6 @@ class HasTenantAccess(permissions.BasePermission):
            logger.warning(f"[HasTenantAccess] DENIED: User not authenticated")
            return False
        
-        # Bypass for superusers
-        if getattr(request.user, 'is_superuser', False):
-            logger.info(f"[HasTenantAccess] ALLOWED: User {request.user.email} is superuser")
-            return True
-        
-        # Bypass for developers
-        if hasattr(request.user, 'role') and request.user.role == 'developer':
-            logger.info(f"[HasTenantAccess] ALLOWED: User {request.user.email} is developer")
-            return True
-        
-        # Bypass for system account users
-        try:
-            if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user():
-                logger.info(f"[HasTenantAccess] ALLOWED: User {request.user.email} is system account user")
-                return True
-        except Exception:
-            pass
-        
        # SIMPLIFIED LOGIC: Every authenticated user MUST have an account
        # Middleware already set request.account from request.user.account
        # Just verify it exists
@@ -95,7 +77,6 @@ class IsViewerOrAbove(permissions.BasePermission):
    """
    Permission class that requires viewer, editor, admin, or owner role
    For read-only operations
-    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        import logging
@@ -105,16 +86,6 @@ class IsViewerOrAbove(permissions.BasePermission):
            logger.warning(f"[IsViewerOrAbove] DENIED: User not authenticated")
            return False
        
-        # Bypass for superusers
-        if getattr(request.user, 'is_superuser', False):
-            logger.info(f"[IsViewerOrAbove] ALLOWED: User {request.user.email} is superuser")
-            return True
-        
-        # Bypass for developers
-        if hasattr(request.user, 'role') and request.user.role == 'developer':
-            logger.info(f"[IsViewerOrAbove] ALLOWED: User {request.user.email} is developer")
-            return True
-        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role
@@ -135,20 +106,11 @@ class IsEditorOrAbove(permissions.BasePermission):
    """
    Permission class that requires editor, admin, or owner role
    For content operations
-    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
-        # Bypass for superusers
-        if getattr(request.user, 'is_superuser', False):
-            return True
-        
-        # Bypass for developers
-        if hasattr(request.user, 'role') and request.user.role == 'developer':
-            return True
-        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role
@@ -163,20 +125,11 @@ class IsAdminOrOwner(permissions.BasePermission):
    """
    Permission class that requires admin or owner role only
    For settings, keys, billing operations
-    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
-        # Bypass for superusers
-        if getattr(request.user, 'is_superuser', False):
-            return True
-        
-        # Bypass for developers
-        if hasattr(request.user, 'role') and request.user.role == 'developer':
-            return True
-        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role
@@ -185,23 +138,3 @@ class IsAdminOrOwner(permissions.BasePermission):
        
        # If no role system, deny by default for security
        return False
-
-
-class IsSystemAccountOrDeveloper(permissions.BasePermission):
-    """
-    Allow only system accounts (aws-admin/default-account/default) or developer role.
-    Use for sensitive, globally-scoped settings like integration API keys.
-    """
-    def has_permission(self, request, view):
-        user = getattr(request, "user", None)
-        if not user or not user.is_authenticated:
-            return False
-
-        account_slug = getattr(getattr(user, "account", None), "slug", None)
-        if user.role == "developer":
-            return True
-        if account_slug in ["aws-admin", "default-account", "default"]:
-            return True
-        return False
-
-