Refactor API permissions and throttling: Updated default permission classes to enforce authentication and tenant access. Introduced new permission for system accounts and developers. Enhanced throttling rates for various operations to reduce false 429 errors. Improved API key loading logic to prioritize account-specific settings, with fallbacks to system accounts and Django settings. Updated integration views and sidebar to reflect new permission structure.

2025-12-07 17:23:42 +00:00
parent 3cbed65601
commit 65fea95d33
15 changed files with 374 additions and 71 deletions
--- a/backend/igny8_core/api/permissions.py
+++ b/backend/igny8_core/api/permissions.py
@@ -160,3 +160,21 @@ class IsAdminOrOwner(permissions.BasePermission):
        return False


+class IsSystemAccountOrDeveloper(permissions.BasePermission):
+    """
+    Allow only system accounts (aws-admin/default-account/default) or developer role.
+    Use for sensitive, globally-scoped settings like integration API keys.
+    """
+    def has_permission(self, request, view):
+        user = getattr(request, "user", None)
+        if not user or not user.is_authenticated:
+            return False
+
+        account_slug = getattr(getattr(user, "account", None), "slug", None)
+        if user.role == "developer":
+            return True
+        if account_slug in ["aws-admin", "default-account", "default"]:
+            return True
+        return False
+
+
--- a/backend/igny8_core/api/throttles.py
+++ b/backend/igny8_core/api/throttles.py
@@ -41,9 +41,11 @@ class DebugScopedRateThrottle(ScopedRateThrottle):
                if not request.user or not hasattr(request.user, 'is_authenticated') or not request.user.is_authenticated:
                    public_blueprint_bypass = True
        
-        # Bypass for system account users (aws-admin, default-account, etc.)
+        # Bypass for authenticated users (avoid user-facing 429s) and system accounts
        system_account_bypass = False
+        authenticated_bypass = False
        if hasattr(request, 'user') and request.user and hasattr(request.user, 'is_authenticated') and request.user.is_authenticated:
+            authenticated_bypass = True  # Do not throttle logged-in users
            try:
                # Check if user is in system account (aws-admin, default-account, default)
                if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user():
@@ -55,7 +57,7 @@ class DebugScopedRateThrottle(ScopedRateThrottle):
                # If checking fails, continue with normal throttling
                pass
        
-        if debug_bypass or env_bypass or system_account_bypass or public_blueprint_bypass:
+        if debug_bypass or env_bypass or system_account_bypass or public_blueprint_bypass or authenticated_bypass:
            # In debug mode or for system accounts, still set throttle headers but don't actually throttle
            # This allows testing throttle headers without blocking requests
            if hasattr(self, 'get_rate'):