1

2025-11-16 20:02:45 +00:00
parent 9f3c4a6cdd
commit b2e60b749a
3 changed files with 283 additions and 23 deletions
--- a/backend/igny8_core/api/authentication.py
+++ b/backend/igny8_core/api/authentication.py
@@ -67,16 +67,10 @@ class JWTAuthentication(BaseAuthentication):
                try:
                    account = Account.objects.get(id=account_id)
                except Account.DoesNotExist:
-                    pass
-            
-            if not account:
-                try:
-                    account = getattr(user, 'account', None)
-                except (AttributeError, Exception):
-                    # If account access fails, set to None
+                    # Account from token doesn't exist - don't fallback, set to None
                    account = None
            
-            # Set account on request
+            # Set account on request (only if account_id was in token and account exists)
            request.account = account
            
            return (user, token)
--- a/backend/igny8_core/auth/middleware.py
+++ b/backend/igny8_core/auth/middleware.py
@@ -97,23 +97,16 @@ class AccountContextMiddleware(MiddlewareMixin):
                    # Only set request.account for account context
                    user = User.objects.select_related('account', 'account__plan').get(id=user_id)
                    if account_id:
-                        # Verify account still exists and matches user
-                        account = Account.objects.get(id=account_id)
-                        # If user's account changed, use the new one from user object
-                        if user.account and user.account.id != account_id:
-                            request.account = user.account
-                        else:
-                            request.account = account
-                    else:
+                        # Verify account still exists
                        try:
-                            user_account = getattr(user, 'account', None)
-                            if user_account:
-                                request.account = user_account
-                            else:
-                                request.account = None
-                        except (AttributeError, Exception):
-                            # If account access fails (e.g., column mismatch), set to None
+                            account = Account.objects.get(id=account_id)
+                            request.account = account
+                        except Account.DoesNotExist:
+                            # Account from token doesn't exist - don't fallback, set to None
                            request.account = None
+                    else:
+                        # No account_id in token - set to None (don't fallback to user.account)
+                        request.account = None
                except (User.DoesNotExist, Account.DoesNotExist):
                    request.account = None
            else: