Fix authentication: Use token's account_id as authoritative source
- Token's account_id is now authoritative for current account context - For developers/admins: Always use token's account_id (they can access any account) - For regular users: Verify they belong to token's account, fallback to user.account if not - This ensures correct account context is set, especially for developers working across accounts - Fixes bug where wrong user/account was shown after login
This commit is contained in:
IGNY8 VPS (Salman)
@@ -62,16 +62,20 @@ class JWTAuthentication(BaseAuthentication):
|
||||
# User not found - return None to allow other auth classes to try
|
||||
return None
|
||||
|
||||
# Get account from token
|
||||
# Get account from token (token's account_id is authoritative for current context)
|
||||
account_id = payload.get('account_id')
|
||||
account = None
|
||||
if account_id:
|
||||
try:
|
||||
account = Account.objects.get(id=account_id)
|
||||
# If user's account changed, use the new one from user object (most up-to-date)
|
||||
# This ensures we always use the user's current account, not a stale token account_id
|
||||
if user.account and user.account.id != account_id:
|
||||
account = user.account
|
||||
# Verify user has access to this account
|
||||
# For developers/admins, they can access any account
|
||||
# For regular users, verify they belong to this account
|
||||
if not user.is_admin_or_developer() and not user.is_system_account_user():
|
||||
# Regular user - must belong to this account
|
||||
if user.account and user.account.id != account_id:
|
||||
# User doesn't belong to token's account - use user's account instead
|
||||
account = user.account
|
||||
except Account.DoesNotExist:
|
||||
# Account from token doesn't exist - use user's account instead
|
||||
pass
|
||||
|
||||
Reference in New Issue
Block a user