Authorize accounting API from admin JWT payload claims.
This commit is contained in:
@@ -2,10 +2,25 @@ from rest_framework.permissions import BasePermission
|
|||||||
|
|
||||||
|
|
||||||
class IsAdminAccount(BasePermission):
|
class IsAdminAccount(BasePermission):
|
||||||
"""Allows access only to authenticated staff/superuser accounts."""
|
"""Allows access only to authenticated staff/superuser / admin JWT accounts.
|
||||||
|
|
||||||
|
FunZone minting uses JWTTokenUserAuthentication here (no local user DB).
|
||||||
|
rest_framework_simplejwt.TokenUser hardcodes is_staff/is_superuser to False,
|
||||||
|
so admin flags must be read from the token payload itself.
|
||||||
|
"""
|
||||||
|
|
||||||
message = 'دسترسی غیرمجاز. فقط مدیران میتوانند به این بخش دسترسی داشته باشند.'
|
message = 'دسترسی غیرمجاز. فقط مدیران میتوانند به این بخش دسترسی داشته باشند.'
|
||||||
|
|
||||||
def has_permission(self, request, view):
|
def has_permission(self, request, view):
|
||||||
user = request.user
|
user = request.user
|
||||||
return bool(user and user.is_authenticated and (user.is_staff or user.is_superuser))
|
if not user or not user.is_authenticated:
|
||||||
|
return False
|
||||||
|
|
||||||
|
token = getattr(user, 'token', None)
|
||||||
|
if token is not None:
|
||||||
|
if token.get('user_type') == 'admin':
|
||||||
|
return True
|
||||||
|
if token.get('is_staff') or token.get('is_superuser'):
|
||||||
|
return True
|
||||||
|
|
||||||
|
return bool(getattr(user, 'is_staff', False) or getattr(user, 'is_superuser', False))
|
||||||
|
|||||||
Reference in New Issue
Block a user