feat(multi-tenancy): implement critical fixes for orphaned users and permissions

- Simplified HasTenantAccess permission logic to ensure every authenticated user has an account. - Added fallback to system account for OpenAI settings in AI configuration. - Allowed any authenticated user to check task progress in IntegrationSettingsViewSet. - Created a script to identify and fix orphaned users without accounts. - Updated error response handling in business endpoints for clarity.
2025-12-10 09:51:06 +00:00
parent 5fb3687854
commit 7a35981038
11 changed files with 573 additions and 38 deletions
--- a/backend/igny8_core/modules/planner/views.py
+++ b/backend/igny8_core/modules/planner/views.py
@@ -5,6 +5,7 @@ from django_filters.rest_framework import DjangoFilterBackend
 from django.db import transaction
 from django.db.models import Max, Count, Sum, Q
 from django.http import HttpResponse
+from django.conf import settings
 import csv
 import json
 import time
@@ -655,10 +656,10 @@ class KeywordViewSet(SiteSectorModelViewSet):
                    error=validation['error'],
                    status_code=status.HTTP_400_BAD_REQUEST,
                    request=request,
-                    extra_data={
+                    debug_info={
                        'count': validation.get('count'),
                        'required': validation.get('required')
-                    }
+                    } if settings.DEBUG else None
                )
            
            # Validation passed - proceed with clustering
--- a/backend/igny8_core/modules/system/integration_views.py
+++ b/backend/igny8_core/modules/system/integration_views.py
@@ -29,6 +29,9 @@ class IntegrationSettingsViewSet(viewsets.ViewSet):
    ViewSet for managing integration settings (OpenAI, Runware, GSC)
    Following reference plugin pattern: WordPress uses update_option() for igny8_api_settings
    We store in IntegrationSettings model with account isolation
+    
+    IMPORTANT: Integration settings are system-wide (configured by super users/developers)
+    Normal users don't configure their own API keys - they use the system account settings via fallback
    """
    permission_classes = [IsAuthenticatedAndActive, HasTenantAccess, IsSystemAccountOrDeveloper]
    
@@ -897,11 +900,14 @@ class IntegrationSettingsViewSet(viewsets.ViewSet):
                request=request
            )
    
-    @action(detail=False, methods=['get'], url_path='task_progress/(?P<task_id>[^/.]+)', url_name='task-progress')
+    @action(detail=False, methods=['get'], url_path='task_progress/(?P<task_id>[^/.]+)', url_name='task-progress',
+            permission_classes=[IsAuthenticatedAndActive])  # Allow any authenticated user to check task progress
    def task_progress(self, request, task_id=None):
        """
        Get Celery task progress status
        GET /api/v1/system/settings/task_progress/<task_id>/
+        
+        Permission: Any authenticated user can check task progress (not restricted to system accounts)
        """
        if not task_id:
            return error_response(