Fix admin validation to check organization_members instead of tenant_account_joins

- Replace TenantAccountJoinRole check with OrganizationMember role check - Use OrganizationRole.ADMIN to validate admin privileges - Query organization_members table using account's current_organization_id - This fixes the issue where super_admin@test.edu couldn't login despite having admin role The previous validation was checking the wrong role system (tenant roles vs organization roles). Now it correctly validates against the organization membership role. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
11 months ago · fa19a56660
parent 42b7ec95bf
commit fa19a56660
1 changed files with 14 additions and 7 deletions
--- a/api/controllers/admin/wraps.py
+++ b/api/controllers/admin/wraps.py
@ -8,7 +8,8 @@ from werkzeug.exceptions import Forbidden, Unauthorized
 from configs import dify_config
 from extensions.ext_database import db
 from libs.passport import PassportService
-from models.account import AccountStatus, Tenant, TenantAccountJoinRole, TenantStatus
+from models.account import AccountStatus, Tenant, TenantStatus
+from models.organization import OrganizationMember, OrganizationRole
 from models.model import App
 from services.account_service import AccountService

@ -43,12 +44,18 @@ def validate_admin_token_and_extract_info(view: Optional[Callable] = None):
                raise Unauthorized("Invalid token: user not found")
            if account.status != AccountStatus.ACTIVE:
                raise Unauthorized("Invalid token: account is not active")
-            allowed_roles = [
-                TenantAccountJoinRole.END_ADMIN.value,
-                TenantAccountJoinRole.OWNER.value,
-                TenantAccountJoinRole.ADMIN.value
-            ]
-            if account.current_role not in allowed_roles:
+            
+            # Check if user has admin role in their current organization
+            org_member = db.session.query(OrganizationMember).filter(
+                OrganizationMember.account_id == user_id,
+                OrganizationMember.organization_id == account.current_organization_id
+            ).first()
+            
+            if not org_member:
+                raise Unauthorized("Invalid token: user is not a member of any organization")
+            
+            # Check if the user has admin role
+            if org_member.role != OrganizationRole.ADMIN:
                raise Unauthorized("Invalid token: account does not have admin privileges")

            app_id = request.headers.get("X-App-Id")