Refactor API permissions and throttling: Updated default permission classes to enforce authentication and tenant access. Introduced new permission for system accounts and developers. Enhanced throttling rates for various operations to reduce false 429 errors. Improved API key loading logic to prioritize account-specific settings, with fallbacks to system accounts and Django settings. Updated integration views and sidebar to reflect new permission structure.
This commit is contained in:
IGNY8 VPS (Salman)
@@ -53,3 +53,9 @@
|
||||
## How Developers Should Work With This Module
|
||||
- Before running any fix/verify script, read it and constrain to target account/site if possible.
|
||||
- Add notes here when new manual interventions occur, including date/purpose and scripts used.
|
||||
|
||||
## Recent Hardening (Dec 2025)
|
||||
- Throttling bypass for authenticated users to prevent user-facing 429s.
|
||||
- AI keys fallback: OpenAI/Runware pulled from system account (`aws-admin`/`default-account`/`default`) or Django settings if tenant key absent.
|
||||
- Integration settings restricted to system account or developer (`IsSystemAccountOrDeveloper` backend guard, `AdminGuard` frontend).
|
||||
- DRF default permissions tightened to authenticated + tenant access (`IsAuthenticatedAndActive`, `HasTenantAccess`); public endpoints must override explicitly (e.g., AuthViewSet).
|
||||
|
||||
Reference in New Issue
Block a user