adsasdasd

2025-12-08 11:51:00 +00:00
parent affa783a4f
commit da3b45d1c7
14 changed files with 1763 additions and 19 deletions
--- a/backend/igny8_core/api/permissions.py
+++ b/backend/igny8_core/api/permissions.py
@@ -26,11 +26,27 @@ class HasTenantAccess(permissions.BasePermission):
    """
    Permission class that requires user to belong to the tenant/account
    Ensures tenant isolation
+    Superusers, developers, and system account users bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
+        # Bypass for superusers
+        if getattr(request.user, 'is_superuser', False):
+            return True
+        
+        # Bypass for developers
+        if hasattr(request.user, 'role') and request.user.role == 'developer':
+            return True
+        
+        # Bypass for system account users
+        try:
+            if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user():
+                return True
+        except Exception:
+            pass
+        
        # Get account from request (set by middleware)
        account = getattr(request, 'account', None)
        
@@ -58,11 +74,20 @@ class IsViewerOrAbove(permissions.BasePermission):
    """
    Permission class that requires viewer, editor, admin, or owner role
    For read-only operations
+    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
+        # Bypass for superusers
+        if getattr(request.user, 'is_superuser', False):
+            return True
+        
+        # Bypass for developers
+        if hasattr(request.user, 'role') and request.user.role == 'developer':
+            return True
+        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role
@@ -77,11 +102,20 @@ class IsEditorOrAbove(permissions.BasePermission):
    """
    Permission class that requires editor, admin, or owner role
    For content operations
+    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
+        # Bypass for superusers
+        if getattr(request.user, 'is_superuser', False):
+            return True
+        
+        # Bypass for developers
+        if hasattr(request.user, 'role') and request.user.role == 'developer':
+            return True
+        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role
@@ -96,11 +130,20 @@ class IsAdminOrOwner(permissions.BasePermission):
    """
    Permission class that requires admin or owner role only
    For settings, keys, billing operations
+    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
+        # Bypass for superusers
+        if getattr(request.user, 'is_superuser', False):
+            return True
+        
+        # Bypass for developers
+        if hasattr(request.user, 'role') and request.user.role == 'developer':
+            return True
+        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role