adsasdasd

backend/igny8_core/auth/middleware.py

@@ -31,14 +31,6 @@ class AccountContextMiddleware(MiddlewareMixin):
         # First, try to get user from Django session (cookie-based auth)
         # This handles cases where frontend uses credentials: 'include' with session cookies
         if hasattr(request, 'user') and request.user and request.user.is_authenticated:
-            # Block superuser access via session on non-admin routes (JWT required)
-            auth_header = request.META.get('HTTP_AUTHORIZATION', '')
-            if request.user.is_superuser and not auth_header.startswith('Bearer '):
-                logout(request)
-                return JsonResponse(
-                    {'success': False, 'error': 'Session authentication not allowed for API. Use JWT.'},
-                    status=status.HTTP_403_FORBIDDEN,
-                )
             # User is authenticated via session - refresh from DB to get latest account/plan data
             # This ensures changes to account/plan are reflected immediately without re-login
             try:
@@ -141,7 +133,23 @@ class AccountContextMiddleware(MiddlewareMixin):
         """
         Ensure the authenticated user has an account and an active plan.
         Uses shared validation helper for consistency.
+        Bypasses validation for superusers, developers, and system accounts.
         """
+        # Bypass validation for superusers
+        if getattr(user, 'is_superuser', False):
+            return None
+        
+        # Bypass validation for developers
+        if hasattr(user, 'role') and user.role == 'developer':
+            return None
+        
+        # Bypass validation for system account users
+        try:
+            if hasattr(user, 'is_system_account_user') and user.is_system_account_user():
+                return None
+        except Exception:
+            pass
+        
         from .utils import validate_account_and_plan
         
         is_valid, error_message, http_status = validate_account_and_plan(user)

backend/igny8_core/auth/utils.py

@@ -135,6 +135,7 @@ def validate_account_and_plan(user_or_account):
     """
     Validate account exists and has active plan.
     Allows trial, active, and pending_payment statuses.
+    Bypasses validation for superusers, developers, and system accounts.
     
     Args:
         user_or_account: User or Account instance
@@ -145,6 +146,22 @@ def validate_account_and_plan(user_or_account):
     from rest_framework import status
     from .models import User, Account
     
+    # Bypass validation for superusers
+    if isinstance(user_or_account, User):
+        if getattr(user_or_account, 'is_superuser', False):
+            return (True, None, None)
+        
+        # Bypass validation for developers
+        if hasattr(user_or_account, 'role') and user_or_account.role == 'developer':
+            return (True, None, None)
+        
+        # Bypass validation for system account users
+        try:
+            if hasattr(user_or_account, 'is_system_account_user') and user_or_account.is_system_account_user():
+                return (True, None, None)
+        except Exception:
+            pass
+    
     # Extract account from user or use directly
     if isinstance(user_or_account, User):
         try:
@@ -153,6 +170,12 @@ def validate_account_and_plan(user_or_account):
             account = None
     elif isinstance(user_or_account, Account):
         account = user_or_account
+        # Check if account is a system account
+        try:
+            if hasattr(account, 'is_system_account') and account.is_system_account():
+                return (True, None, None)
+        except Exception:
+            pass
     else:
         return (False, 'Invalid object type', status.HTTP_400_BAD_REQUEST)