Files
accounting-backend/accounting/permissions.py

27 lines
1.0 KiB
Python

from rest_framework.permissions import BasePermission
class IsAdminAccount(BasePermission):
"""Allows access only to authenticated staff/superuser / admin JWT accounts.
FunZone minting uses JWTTokenUserAuthentication here (no local user DB).
rest_framework_simplejwt.TokenUser hardcodes is_staff/is_superuser to False,
so admin flags must be read from the token payload itself.
"""
message = 'دسترسی غیرمجاز. فقط مدیران می‌توانند به این بخش دسترسی داشته باشند.'
def has_permission(self, request, view):
user = request.user
if not user or not user.is_authenticated:
return False
token = getattr(user, 'token', None)
if token is not None:
if token.get('user_type') == 'admin':
return True
if token.get('is_staff') or token.get('is_superuser'):
return True
return bool(getattr(user, 'is_staff', False) or getattr(user, 'is_superuser', False))