fix: permission check logic for pats

phasehq · Nov 1, 2024 · e643a9d · e643a9d
1 parent f3e2b41
commit e643a9d
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/backend/api/views/secrets.py b/backend/api/views/secrets.py
@@ -61,8 +61,10 @@ def get(self, request):
             account = (
                 request.auth["service_account"]
                 if "service_account" in request.auth
+                and request.auth["service_account"] is not None
                 else request.auth["org_member"].user
             )
+
             if not user_has_permission(
                 account,
                 "read",
@@ -143,6 +145,7 @@ def post(self, request):
             account = (
                 request.auth["service_account"]
                 if "service_account" in request.auth
+                and request.auth["service_account"] is not None
                 else request.auth["org_member"].user
             )
             if not user_has_permission(
@@ -255,6 +258,7 @@ def put(self, request):
             account = (
                 request.auth["service_account"]
                 if "service_account" in request.auth
+                and request.auth["service_account"] is not None
                 else request.auth["org_member"].user
             )
 
@@ -382,6 +386,7 @@ def delete(self, request):
                 account = (
                     request.auth["service_account"]
                     if "service_account" in request.auth
+                    and request.auth["service_account"] is not None
                     else request.auth["org_member"].user
                 )
                 if not user_has_permission(
@@ -453,8 +458,10 @@ def get(self, request):
             account = (
                 request.auth["service_account"]
                 if "service_account" in request.auth
+                and request.auth["service_account"] is not None
                 else request.auth["org_member"].user
             )
+
             if not user_has_permission(
                 account,
                 "read",
@@ -534,6 +541,7 @@ def post(self, request):
         account = (
             request.auth["service_account"]
             if "service_account" in request.auth
+            and request.auth["service_account"] is not None
             else request.auth["org_member"].user
         )
         if not user_has_permission(
@@ -667,6 +675,7 @@ def put(self, request):
         account = (
             request.auth["service_account"]
             if "service_account" in request.auth
+            and request.auth["service_account"] is not None
             else request.auth["org_member"].user
         )
 
@@ -825,6 +834,7 @@ def delete(self, request):
         account = (
             request.auth["service_account"]
             if "service_account" in request.auth
+            and request.auth["service_account"] is not None
             else request.auth["org_member"].user
         )
         if not user_has_permission(