Authorize accounting API from admin JWT payload claims.

This commit is contained in:
2026-07-08 15:40:00 +03:30
parent 2a1918b47c
commit 8879ad4852

View File

@@ -2,10 +2,25 @@ from rest_framework.permissions import BasePermission
class IsAdminAccount(BasePermission): class IsAdminAccount(BasePermission):
"""Allows access only to authenticated staff/superuser accounts.""" """Allows access only to authenticated staff/superuser / admin JWT accounts.
FunZone minting uses JWTTokenUserAuthentication here (no local user DB).
rest_framework_simplejwt.TokenUser hardcodes is_staff/is_superuser to False,
so admin flags must be read from the token payload itself.
"""
message = 'دسترسی غیرمجاز. فقط مدیران می‌توانند به این بخش دسترسی داشته باشند.' message = 'دسترسی غیرمجاز. فقط مدیران می‌توانند به این بخش دسترسی داشته باشند.'
def has_permission(self, request, view): def has_permission(self, request, view):
user = request.user user = request.user
return bool(user and user.is_authenticated and (user.is_staff or user.is_superuser)) if not user or not user.is_authenticated:
return False
token = getattr(user, 'token', None)
if token is not None:
if token.get('user_type') == 'admin':
return True
if token.get('is_staff') or token.get('is_superuser'):
return True
return bool(getattr(user, 'is_staff', False) or getattr(user, 'is_superuser', False))