Implement security enhancements and unified response formats across API endpoints. Update permission classes for various ViewSets to ensure proper tenant isolation and compliance with API standards. Refactor authentication endpoints to utilize success and error response helpers, improving error tracking and response consistency. Complete documentation updates reflecting these changes and achieving full compliance with API Standard v1.0.

2025-11-16 11:35:47 +05:00
parent d492b74d40
commit 64b8280bce
8 changed files with 739 additions and 93 deletions
--- a/backend/igny8_core/modules/billing/views.py
+++ b/backend/igny8_core/modules/billing/views.py
@@ -15,6 +15,7 @@ from igny8_core.api.pagination import CustomPageNumberPagination
 from igny8_core.api.response import success_response, error_response
 from igny8_core.api.throttles import DebugScopedRateThrottle
 from igny8_core.api.authentication import JWTAuthentication, CSRFExemptSessionAuthentication
+from igny8_core.api.permissions import IsAuthenticatedAndActive, HasTenantAccess, IsAdminOrOwner
 from .models import CreditTransaction, CreditUsageLog
 from .serializers import (
    CreditTransactionSerializer, CreditUsageLogSerializer,
@@ -32,7 +33,7 @@ class CreditBalanceViewSet(viewsets.ViewSet):
    ViewSet for credit balance operations
    Unified API Standard v1.0 compliant
    """
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [IsAuthenticatedAndActive, HasTenantAccess]
    authentication_classes = [JWTAuthentication, CSRFExemptSessionAuthentication]
    throttle_scope = 'billing'
    throttle_classes = [DebugScopedRateThrottle]
@@ -81,14 +82,14 @@ class CreditBalanceViewSet(viewsets.ViewSet):
    list=extend_schema(tags=['Billing']),
    retrieve=extend_schema(tags=['Billing']),
 )
-class CreditUsageViewSet(viewsets.ReadOnlyModelViewSet):
+class CreditUsageViewSet(AccountModelViewSet):
    """
    ViewSet for credit usage logs
    Unified API Standard v1.0 compliant
    """
    queryset = CreditUsageLog.objects.all()
    serializer_class = CreditUsageLogSerializer
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [IsAuthenticatedAndActive, HasTenantAccess]
    authentication_classes = [JWTAuthentication, CSRFExemptSessionAuthentication]
    pagination_class = CustomPageNumberPagination
    throttle_scope = 'billing'
@@ -97,17 +98,8 @@ class CreditUsageViewSet(viewsets.ReadOnlyModelViewSet):
    filter_backends = []
    
    def get_queryset(self):
-        """Get usage logs for current account"""
-        account = getattr(self.request, 'account', None)
-        if not account:
-            user = getattr(self.request, 'user', None)
-            if user:
-                account = getattr(user, 'account', None)
-        
-        if not account:
-            return CreditUsageLog.objects.none()
-        
-        queryset = CreditUsageLog.objects.filter(account=account)
+        """Get usage logs for current account - base class handles account filtering"""
+        queryset = super().get_queryset()
        
        # Filter by operation type
        operation_type = self.request.query_params.get('operation_type')
@@ -456,31 +448,22 @@ class CreditUsageViewSet(viewsets.ReadOnlyModelViewSet):
    list=extend_schema(tags=['Billing']),
    retrieve=extend_schema(tags=['Billing']),
 )
-class CreditTransactionViewSet(viewsets.ReadOnlyModelViewSet):
+class CreditTransactionViewSet(AccountModelViewSet):
    """
    ViewSet for credit transaction history
    Unified API Standard v1.0 compliant
    """
    queryset = CreditTransaction.objects.all()
    serializer_class = CreditTransactionSerializer
-    permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [IsAuthenticatedAndActive, HasTenantAccess, IsAdminOrOwner]
    authentication_classes = [JWTAuthentication, CSRFExemptSessionAuthentication]
    pagination_class = CustomPageNumberPagination
    throttle_scope = 'billing'
    throttle_classes = [DebugScopedRateThrottle]
    
    def get_queryset(self):
-        """Get transactions for current account"""
-        account = getattr(self.request, 'account', None)
-        if not account:
-            user = getattr(self.request, 'user', None)
-            if user:
-                account = getattr(user, 'account', None)
-        
-        if not account:
-            return CreditTransaction.objects.none()
-        
-        queryset = CreditTransaction.objects.filter(account=account)
+        """Get transactions for current account - base class handles account filtering"""
+        queryset = super().get_queryset()
        
        # Filter by transaction type
        transaction_type = self.request.query_params.get('transaction_type')