from rest_framework.permissions import BasePermission class IsAdminAccount(BasePermission): """Allows access only to authenticated staff/superuser / admin JWT accounts. FunZone minting uses JWTTokenUserAuthentication here (no local user DB). rest_framework_simplejwt.TokenUser hardcodes is_staff/is_superuser to False, so admin flags must be read from the token payload itself. """ message = 'دسترسی غیرمجاز. فقط مدیران می‌توانند به این بخش دسترسی داشته باشند.' def has_permission(self, request, view): user = request.user if not user or not user.is_authenticated: return False token = getattr(user, 'token', None) if token is not None: if token.get('user_type') == 'admin': return True if token.get('is_staff') or token.get('is_superuser'): return True return bool(getattr(user, 'is_staff', False) or getattr(user, 'is_superuser', False))