diff --git a/accounting/permissions.py b/accounting/permissions.py index bc890ab..33d49fe 100644 --- a/accounting/permissions.py +++ b/accounting/permissions.py @@ -2,10 +2,25 @@ from rest_framework.permissions import BasePermission class IsAdminAccount(BasePermission): - """Allows access only to authenticated staff/superuser accounts.""" + """Allows access only to authenticated staff/superuser / admin JWT accounts. + + FunZone minting uses JWTTokenUserAuthentication here (no local user DB). + rest_framework_simplejwt.TokenUser hardcodes is_staff/is_superuser to False, + so admin flags must be read from the token payload itself. + """ message = 'دسترسی غیرمجاز. فقط مدیران می‌توانند به این بخش دسترسی داشته باشند.' def has_permission(self, request, view): user = request.user - return bool(user and user.is_authenticated and (user.is_staff or user.is_superuser)) + if not user or not user.is_authenticated: + return False + + token = getattr(user, 'token', None) + if token is not None: + if token.get('user_type') == 'admin': + return True + if token.get('is_staff') or token.get('is_superuser'): + return True + + return bool(getattr(user, 'is_staff', False) or getattr(user, 'is_superuser', False))