Refactor account and permission handling: Simplified account filtering logic in AccountModelViewSet and removed redundant admin/system user checks from permissions. Enhanced user access methods to streamline site access verification and improved error handling for account context requirements. Updated throttling logic to eliminate unnecessary system account bypass conditions.

2025-12-08 05:23:06 +00:00
parent f0066b6e7d
commit 6dcbc651dd
12 changed files with 483 additions and 324 deletions
--- a/backend/igny8_core/auth/views.py
+++ b/backend/igny8_core/auth/views.py
@@ -500,22 +500,14 @@ class SiteViewSet(AccountModelViewSet):
        
        user = self.request.user
        
-        # ADMIN/DEV OVERRIDE: Both admins and developers can see all sites
-        if user.is_admin_or_developer():
-            return Site.objects.all().distinct()
-        
-        # Get account from user
        account = getattr(user, 'account', None)
        if not account:
            return Site.objects.none()
        
-        if user.role in ['owner', 'admin']:
-            return Site.objects.filter(account=account)
+        if hasattr(user, 'get_accessible_sites'):
+            return user.get_accessible_sites()
        
-        return Site.objects.filter(
-            account=account,
-            user_access__user=user
-        ).distinct()
+        return Site.objects.filter(account=account)
    
    def perform_create(self, serializer):
        """Create site with account."""
@@ -736,11 +728,6 @@ class SectorViewSet(AccountModelViewSet):
        user = self.request.user
        if not user or not user.is_authenticated:
            return Sector.objects.none()
-        
-        # ADMIN/DEV OVERRIDE: Both admins and developers can see all sectors across all sites
-        if user.is_admin_or_developer():
-            return Sector.objects.all().distinct()
-        
        accessible_sites = user.get_accessible_sites()
        return Sector.objects.filter(site__in=accessible_sites)