Revert "Fix authentication: Follow unified API model - token account_id is authoritative"
This reverts commit 8171014a7e.
This commit is contained in:
Desktop
@@ -62,18 +62,32 @@ class JWTAuthentication(BaseAuthentication):
|
||||
# User not found - return None to allow other auth classes to try
|
||||
return None
|
||||
|
||||
# Get account from token (token's account_id is authoritative per unified API model)
|
||||
# Unified API Standard: Token contains account_id, middleware extracts and sets request.account
|
||||
# Get account from token (token's account_id is authoritative for current context)
|
||||
account_id = payload.get('account_id')
|
||||
account = None
|
||||
if account_id:
|
||||
try:
|
||||
account = Account.objects.get(id=account_id)
|
||||
# Verify user has access to this account
|
||||
# For developers/admins, they can access any account
|
||||
# For regular users, verify they belong to this account
|
||||
if not user.is_admin_or_developer() and not user.is_system_account_user():
|
||||
# Regular user - must belong to this account
|
||||
if user.account and user.account.id != account_id:
|
||||
# User doesn't belong to token's account - use user's account instead
|
||||
account = user.account
|
||||
except Account.DoesNotExist:
|
||||
# Account from token doesn't exist - set to None
|
||||
# Account from token doesn't exist - use user's account instead
|
||||
pass
|
||||
|
||||
if not account:
|
||||
try:
|
||||
account = getattr(user, 'account', None)
|
||||
except (AttributeError, Exception):
|
||||
# If account access fails, set to None
|
||||
account = None
|
||||
|
||||
# Set account on request (unified API model: token's account_id is authoritative)
|
||||
# Set account on request
|
||||
request.account = account
|
||||
|
||||
return (user, token)
|
||||
|
||||
@@ -99,14 +99,21 @@ class AccountContextMiddleware(MiddlewareMixin):
|
||||
user = User.objects.select_related('account', 'account__plan').get(id=user_id)
|
||||
request.user = user
|
||||
if account_id:
|
||||
# Unified API Standard: Extract account_id from JWT, load Account object, set request.account
|
||||
# Token's account_id is authoritative - no validation against user.account
|
||||
try:
|
||||
# Verify account still exists
|
||||
account = Account.objects.get(id=account_id)
|
||||
# Token's account_id is authoritative for current context
|
||||
# For developers/admins, they can access any account
|
||||
# For regular users, verify they belong to this account
|
||||
if not user.is_admin_or_developer() and not user.is_system_account_user():
|
||||
# Regular user - must belong to this account
|
||||
if user.account and user.account.id != account_id:
|
||||
# User doesn't belong to token's account - use user's account instead
|
||||
request.account = user.account
|
||||
else:
|
||||
request.account = account
|
||||
else:
|
||||
# Developer/admin/system user - use token's account (they can access any)
|
||||
request.account = account
|
||||
except Account.DoesNotExist:
|
||||
# Account from token doesn't exist - set to None
|
||||
request.account = None
|
||||
else:
|
||||
try:
|
||||
user_account = getattr(user, 'account', None)
|
||||
|
||||
Reference in New Issue
Block a user