Refactor account and permission handling: Simplified account filtering logic in AccountModelViewSet and removed redundant admin/system user checks from permissions. Enhanced user access methods to streamline site access verification and improved error handling for account context requirements. Updated throttling logic to eliminate unnecessary system account bypass conditions.

backend/igny8_core/auth/models.py

@@ -604,8 +604,7 @@ class User(AbstractUser):
         return self.role == 'developer' or self.is_superuser
     
     def is_admin_or_developer(self):
-        """Check if user is admin or developer with override privileges."""
-        # ADMIN/DEV OVERRIDE: Both admin and developer roles bypass account/site/sector restrictions
+        """Check if user is admin or developer."""
         return self.role in ['admin', 'developer'] or self.is_superuser
     
     def is_system_account_user(self):
@@ -618,29 +617,17 @@ class User(AbstractUser):
     
     def get_accessible_sites(self):
         """Get all sites the user can access."""
-        # System account users can access all sites across all accounts
-        if self.is_system_account_user():
-            return Site.objects.filter(is_active=True).distinct()
-        
-        # Developers/super admins can access all sites across all accounts
-        # ADMIN/DEV OVERRIDE: Admins also bypass account restrictions (see is_admin_or_developer)
-        if self.is_developer():
-            return Site.objects.filter(is_active=True).distinct()
-        
         try:
             if not self.account:
                 return Site.objects.none()
             
-            # Owners and admins can access all sites in their account
-            if self.role in ['owner', 'admin']:
-                return Site.objects.filter(account=self.account, is_active=True)
+            base_sites = Site.objects.filter(account=self.account, is_active=True)
+            
+            if self.role in ['owner', 'admin', 'developer'] or self.is_superuser or self.is_system_account_user():
+                return base_sites
             
             # Other users can only access sites explicitly granted via SiteUserAccess
-            return Site.objects.filter(
-                account=self.account,
-                is_active=True,
-                user_access__user=self
-            ).distinct()
+            return base_sites.filter(user_access__user=self).distinct()
         except (AttributeError, Exception):
             # If account access fails (e.g., column mismatch), return empty queryset
             return Site.objects.none()

backend/igny8_core/auth/views.py

@@ -500,22 +500,14 @@ class SiteViewSet(AccountModelViewSet):
         
         user = self.request.user
         
-        # ADMIN/DEV OVERRIDE: Both admins and developers can see all sites
-        if user.is_admin_or_developer():
-            return Site.objects.all().distinct()
-        
-        # Get account from user
         account = getattr(user, 'account', None)
         if not account:
             return Site.objects.none()
         
-        if user.role in ['owner', 'admin']:
-            return Site.objects.filter(account=account)
+        if hasattr(user, 'get_accessible_sites'):
+            return user.get_accessible_sites()
         
-        return Site.objects.filter(
-            account=account,
-            user_access__user=user
-        ).distinct()
+        return Site.objects.filter(account=account)
     
     def perform_create(self, serializer):
         """Create site with account."""
@@ -736,11 +728,6 @@ class SectorViewSet(AccountModelViewSet):
         user = self.request.user
         if not user or not user.is_authenticated:
             return Sector.objects.none()
-        
-        # ADMIN/DEV OVERRIDE: Both admins and developers can see all sectors across all sites
-        if user.is_admin_or_developer():
-            return Sector.objects.all().distinct()
-        
         accessible_sites = user.get_accessible_sites()
         return Sector.objects.filter(site__in=accessible_sites)