Refactor API permissions and throttling: Updated default permission classes to enforce authentication and tenant access. Introduced new permission for system accounts and developers. Enhanced throttling rates for various operations to reduce false 429 errors. Improved API key loading logic to prioritize account-specific settings, with fallbacks to system accounts and Django settings. Updated integration views and sidebar to reflect new permission structure.

2025-12-07 17:23:42 +00:00
parent 3cbed65601
commit 65fea95d33
15 changed files with 374 additions and 71 deletions
--- a/backend/igny8_core/api/permissions.py
+++ b/backend/igny8_core/api/permissions.py
@@ -160,3 +160,21 @@ class IsAdminOrOwner(permissions.BasePermission):
        return False


+class IsSystemAccountOrDeveloper(permissions.BasePermission):
+    """
+    Allow only system accounts (aws-admin/default-account/default) or developer role.
+    Use for sensitive, globally-scoped settings like integration API keys.
+    """
+    def has_permission(self, request, view):
+        user = getattr(request, "user", None)
+        if not user or not user.is_authenticated:
+            return False
+
+        account_slug = getattr(getattr(user, "account", None), "slug", None)
+        if user.role == "developer":
+            return True
+        if account_slug in ["aws-admin", "default-account", "default"]:
+            return True
+        return False
+
+