Fix Demo enterprise list

2025-12-17 16:28:58 +01:00
parent f25d7a9745
commit b715a14848
8 changed files with 78 additions and 1286 deletions
--- a/services/tenant/app/api/tenant_operations.py
+++ b/services/tenant/app/api/tenant_operations.py
@@ -378,10 +378,22 @@ async def get_nearby_tenants(
@track_endpoint_metrics("tenant_get_user_tenants")
 async def get_user_tenants(
    user_id: str = Path(..., description="User ID"),
+    current_user: Dict[str, Any] = Depends(get_current_user_dep),
    tenant_service: EnhancedTenantService = Depends(get_enhanced_tenant_service)
 ):
    """Get all tenants owned by a user - Fixed endpoint for frontend"""

+    # Security check: users can only access their own tenants unless they're admin or demo user
+    is_demo_user = current_user.get("is_demo", False)
+    is_service_account = current_user.get("type") == "service"
+    user_role = current_user.get('role', '').lower()
+    
+    if user_id != current_user["user_id"] and not is_service_account and not (is_demo_user and user_id == "demo-user") and user_role != 'admin':
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Can only access your own tenants"
+        )
+
    try:
        tenants = await tenant_service.get_user_tenants(user_id)
        logger.info("Retrieved user tenants", user_id=user_id, tenant_count=len(tenants))
@@ -398,10 +410,22 @@ async def get_user_tenants(
@track_endpoint_metrics("tenant_get_user_memberships")
 async def get_user_memberships(
    user_id: str = Path(..., description="User ID"),
+    current_user: Dict[str, Any] = Depends(get_current_user_dep),
    tenant_service: EnhancedTenantService = Depends(get_enhanced_tenant_service)
 ):
    """Get all tenant memberships for a user (for authentication service)"""

+    # Security check: users can only access their own memberships unless they're admin or demo user
+    is_demo_user = current_user.get("is_demo", False)
+    is_service_account = current_user.get("type") == "service"
+    user_role = current_user.get('role', '').lower()
+    
+    if user_id != current_user["user_id"] and not is_service_account and not (is_demo_user and user_id == "demo-user") and user_role != 'admin':
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Can only access your own memberships"
+        )
+
    try:
        memberships = await tenant_service.get_user_memberships(user_id)
        logger.info("Retrieved user memberships", user_id=user_id, membership_count=len(memberships))
--- a/services/tenant/app/services/tenant_service.py
+++ b/services/tenant/app/services/tenant_service.py
@@ -309,18 +309,54 @@ class EnhancedTenantService:
                        error=str(e))
            return None
    
-    async def get_user_tenants(self, owner_id: str) -> List[TenantResponse]:
-        """Get all tenants owned by a user"""
+    async def get_user_tenants(self, user_id: str) -> List[TenantResponse]:
+        """Get all tenants accessible by a user (both owned and member tenants)"""

        try:
            async with self.database_manager.get_session() as db_session:
                await self._init_repositories(db_session)
-                tenants = await self.tenant_repo.get_tenants_by_owner(owner_id)
-                return [TenantResponse.from_orm(tenant) for tenant in tenants]
+                
+                # Get tenants where user is the owner
+                owned_tenants = await self.tenant_repo.get_tenants_by_owner(user_id)
+                
+                # Get tenants where user is a member (but not owner)
+                memberships = await self.member_repo.get_user_memberships(user_id, active_only=True)
+                
+                # Get tenant details for each membership
+                member_tenant_ids = [str(membership.tenant_id) for membership in memberships]
+                member_tenants = []
+                
+                if member_tenant_ids:
+                    # Get tenant details for each membership
+                    for tenant_id in member_tenant_ids:
+                        tenant = await self.tenant_repo.get_by_id(tenant_id)
+                        if tenant:
+                            member_tenants.append(tenant)
+                
+                # Combine and deduplicate (in case user is both owner and member)
+                all_tenants = owned_tenants + member_tenants
+                
+                # Remove duplicates by tenant ID
+                unique_tenants = []
+                seen_ids = set()
+                for tenant in all_tenants:
+                    if str(tenant.id) not in seen_ids:
+                        seen_ids.add(str(tenant.id))
+                        unique_tenants.append(tenant)
+                
+                logger.info(
+                    "Retrieved user tenants",
+                    user_id=user_id,
+                    owned_count=len(owned_tenants),
+                    member_count=len(member_tenants),
+                    total_count=len(unique_tenants)
+                )
+                
+                return [TenantResponse.from_orm(tenant) for tenant in unique_tenants]

        except Exception as e:
            logger.error("Error getting user tenants",
-                        owner_id=owner_id,
+                        user_id=user_id,
                        error=str(e))
            return []