chore: resolve merge conflicts with main

- deps.py: keep require_tenant_context + require_admin_db (RLS deps); drop unused get_tenant_context stub from Phase 0 - categories.py: keep both PLATFORM_ACCOUNT_ID and tenant_filter imports (body uses both) - tenant-isolation spec: keep main's resolved TargetList/teams audit answers Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 04:57:39 +00:00
parent 8f044849d4 85575839f2
commit b9da0e7107
18 changed files with 837 additions and 64 deletions
--- a/backend/app/core/filters.py
+++ b/backend/app/core/filters.py
@@ -1,10 +1,12 @@
 """
 Centralized query filters for ResolutionFlow.

-Provides reusable SQLAlchemy filter builders for tree access control
-and step visibility, used across multiple endpoint modules.
+Provides reusable SQLAlchemy filter builders for tree access control,
+step visibility, and the canonical tenant_filter used by all queries
+on tenant-scoped tables.
 """
 from __future__ import annotations
+import uuid
 from typing import TYPE_CHECKING

 from sqlalchemy import or_, and_, true as sa_true
@@ -13,6 +15,18 @@ if TYPE_CHECKING:
    from app.models.user import User


+def tenant_filter(model, account_id: uuid.UUID):
+    """Primary app-layer tenant filter.
+
+    MUST be used in every SELECT/UPDATE/DELETE on tenant tables.
+    RLS (Phase 2) is the safety net — this is the primary enforcement.
+
+    Usage:
+        stmt = select(Tree).where(tenant_filter(Tree, current_user.account_id), ...)
+    """
+    return model.account_id == account_id
+
+
 def build_tree_access_filter(current_user: User):
    """Build the access filter for trees based on user permissions.

@@ -36,10 +50,11 @@ def build_tree_access_filter(current_user: User):
        Tree.author_id == current_user.id,
    ]
    if current_user.account_id:
+        # Team-visible trees: use tenant_filter as the account match
        conditions.append(
            and_(
                Tree.visibility == 'team',
-                Tree.account_id == current_user.account_id
+                tenant_filter(Tree, current_user.account_id),
            )
        )
    return or_(*conditions)
@@ -58,11 +73,14 @@ def build_step_visibility_filter(current_user: User):
    if current_user.account_id:
        return or_(
            StepLibrary.visibility == 'public',
-            and_(StepLibrary.visibility == 'team', StepLibrary.account_id == current_user.account_id),
-            StepLibrary.created_by == current_user.id  # Own private steps
+            and_(
+                StepLibrary.visibility == 'team',
+                tenant_filter(StepLibrary, current_user.account_id),
+            ),
+            StepLibrary.created_by == current_user.id,
        )
    else:
        return or_(
            StepLibrary.visibility == 'public',
-            StepLibrary.created_by == current_user.id
+            StepLibrary.created_by == current_user.id,
        )