Fix authentication: Use token's account_id as authoritative source
- Token's account_id is now authoritative for current account context - For developers/admins: Always use token's account_id (they can access any account) - For regular users: Verify they belong to token's account, fallback to user.account if not - This ensures correct account context is set, especially for developers working across accounts - Fixes bug where wrong user/account was shown after login
This commit is contained in:
IGNY8 VPS (Salman)
@@ -99,12 +99,20 @@ class AccountContextMiddleware(MiddlewareMixin):
|
||||
user = User.objects.select_related('account', 'account__plan').get(id=user_id)
|
||||
request.user = user
|
||||
if account_id:
|
||||
# Verify account still exists and matches user
|
||||
# Verify account still exists
|
||||
account = Account.objects.get(id=account_id)
|
||||
# If user's account changed, use the new one from user object
|
||||
if user.account and user.account.id != account_id:
|
||||
request.account = user.account
|
||||
# Token's account_id is authoritative for current context
|
||||
# For developers/admins, they can access any account
|
||||
# For regular users, verify they belong to this account
|
||||
if not user.is_admin_or_developer() and not user.is_system_account_user():
|
||||
# Regular user - must belong to this account
|
||||
if user.account and user.account.id != account_id:
|
||||
# User doesn't belong to token's account - use user's account instead
|
||||
request.account = user.account
|
||||
else:
|
||||
request.account = account
|
||||
else:
|
||||
# Developer/admin/system user - use token's account (they can access any)
|
||||
request.account = account
|
||||
else:
|
||||
try:
|
||||
|
||||
Reference in New Issue
Block a user