Revert "Fix authentication: Use token's account_id as authoritative source"
This reverts commit 46b5b5f1b2.
This commit is contained in:
Desktop
@@ -62,20 +62,16 @@ class JWTAuthentication(BaseAuthentication):
|
|||||||
# User not found - return None to allow other auth classes to try
|
# User not found - return None to allow other auth classes to try
|
||||||
return None
|
return None
|
||||||
|
|
||||||
# Get account from token (token's account_id is authoritative for current context)
|
# Get account from token
|
||||||
account_id = payload.get('account_id')
|
account_id = payload.get('account_id')
|
||||||
account = None
|
account = None
|
||||||
if account_id:
|
if account_id:
|
||||||
try:
|
try:
|
||||||
account = Account.objects.get(id=account_id)
|
account = Account.objects.get(id=account_id)
|
||||||
# Verify user has access to this account
|
# If user's account changed, use the new one from user object (most up-to-date)
|
||||||
# For developers/admins, they can access any account
|
# This ensures we always use the user's current account, not a stale token account_id
|
||||||
# For regular users, verify they belong to this account
|
if user.account and user.account.id != account_id:
|
||||||
if not user.is_admin_or_developer() and not user.is_system_account_user():
|
account = user.account
|
||||||
# Regular user - must belong to this account
|
|
||||||
if user.account and user.account.id != account_id:
|
|
||||||
# User doesn't belong to token's account - use user's account instead
|
|
||||||
account = user.account
|
|
||||||
except Account.DoesNotExist:
|
except Account.DoesNotExist:
|
||||||
# Account from token doesn't exist - use user's account instead
|
# Account from token doesn't exist - use user's account instead
|
||||||
pass
|
pass
|
||||||
|
|||||||
@@ -99,20 +99,12 @@ class AccountContextMiddleware(MiddlewareMixin):
|
|||||||
user = User.objects.select_related('account', 'account__plan').get(id=user_id)
|
user = User.objects.select_related('account', 'account__plan').get(id=user_id)
|
||||||
request.user = user
|
request.user = user
|
||||||
if account_id:
|
if account_id:
|
||||||
# Verify account still exists
|
# Verify account still exists and matches user
|
||||||
account = Account.objects.get(id=account_id)
|
account = Account.objects.get(id=account_id)
|
||||||
# Token's account_id is authoritative for current context
|
# If user's account changed, use the new one from user object
|
||||||
# For developers/admins, they can access any account
|
if user.account and user.account.id != account_id:
|
||||||
# For regular users, verify they belong to this account
|
request.account = user.account
|
||||||
if not user.is_admin_or_developer() and not user.is_system_account_user():
|
|
||||||
# Regular user - must belong to this account
|
|
||||||
if user.account and user.account.id != account_id:
|
|
||||||
# User doesn't belong to token's account - use user's account instead
|
|
||||||
request.account = user.account
|
|
||||||
else:
|
|
||||||
request.account = account
|
|
||||||
else:
|
else:
|
||||||
# Developer/admin/system user - use token's account (they can access any)
|
|
||||||
request.account = account
|
request.account = account
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
|
|||||||
Reference in New Issue
Block a user