From 8879ad485289d41ffd32c98e87689c321dc14a20 Mon Sep 17 00:00:00 2001 From: AmirAli Angha Date: Wed, 8 Jul 2026 15:40:00 +0330 Subject: [PATCH] Authorize accounting API from admin JWT payload claims. --- accounting/permissions.py | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/accounting/permissions.py b/accounting/permissions.py index bc890ab..33d49fe 100644 --- a/accounting/permissions.py +++ b/accounting/permissions.py @@ -2,10 +2,25 @@ from rest_framework.permissions import BasePermission class IsAdminAccount(BasePermission): - """Allows access only to authenticated staff/superuser accounts.""" + """Allows access only to authenticated staff/superuser / admin JWT accounts. + + FunZone minting uses JWTTokenUserAuthentication here (no local user DB). + rest_framework_simplejwt.TokenUser hardcodes is_staff/is_superuser to False, + so admin flags must be read from the token payload itself. + """ message = 'دسترسی غیرمجاز. فقط مدیران می‌توانند به این بخش دسترسی داشته باشند.' def has_permission(self, request, view): user = request.user - return bool(user and user.is_authenticated and (user.is_staff or user.is_superuser)) + if not user or not user.is_authenticated: + return False + + token = getattr(user, 'token', None) + if token is not None: + if token.get('user_type') == 'admin': + return True + if token.get('is_staff') or token.get('is_superuser'): + return True + + return bool(getattr(user, 'is_staff', False) or getattr(user, 'is_superuser', False))