Fix super user bypass and show virtual accounts in admin UI

Two related fixes for account access: 1. **Super user bypass for permission filtering** - Super users now bypass permission checks and see all accounts - Fixes issue where Castle system account was blocked from seeing accounts - Regular users still get filtered by permissions as expected 2. **Show virtual accounts in permissions management UI** - Permissions page now passes exclude_virtual=false - Admins need to see virtual accounts to grant permissions on them - Enables granting permission on 'Expenses:Supplies' to give access to all children Impact: - Super user can now create entries and see all accounts ✓ - Admins can grant permissions on virtual parent accounts ✓ - Regular users still only see permitted, non-virtual accounts ✓ - Permission inheritance works correctly for all users ✓ 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 03:33:31 +01:00 · 2025-11-11 03:33:31 +01:00 · 7506b0250f
commit 7506b0250f
parent 0e6fe3e3cd
2 changed files with 9 additions and 3 deletions
--- a/static/js/permissions.js
+++ b/static/js/permissions.js
@ -155,9 +155,10 @@ window.app = Vue.createApp({
    async loadAccounts() {
      try {
        // Admin permissions UI needs to see virtual accounts to grant permissions on them
        const response = await LNbits.api.request(
          'GET',
-          '/castle/api/v1/accounts',
+          '/castle/api/v1/accounts?exclude_virtual=false',
          this.g.user.wallets[0].inkey
        )
        this.accounts = response.data
--- a/views_api.py
+++ b/views_api.py
@ -140,9 +140,15 @@ async def api_get_accounts(
    - exclude_virtual: If true, exclude virtual parent accounts (default True)
    - Returns AccountWithPermissions objects when filter_by_user=true, otherwise Account objects
    """
    from lnbits.settings import settings as lnbits_settings
    all_accounts = await get_all_accounts()
-    if not filter_by_user:
+    user_id = wallet.wallet.user
    is_super_user = user_id == lnbits_settings.super_user
    # Super users bypass permission filtering - they see everything
    if not filter_by_user or is_super_user:
        # Filter out virtual accounts if requested (default behavior for user views)
        if exclude_virtual:
            all_accounts = [acc for acc in all_accounts if not acc.is_virtual]
@ -151,7 +157,6 @@ async def api_get_accounts(
    # Filter by user permissions
    # NOTE: Do NOT filter out virtual accounts yet - they're needed for inheritance logic
    user_id = wallet.wallet.user
    user_permissions = await get_user_permissions(user_id)
    # Get set of account IDs the user has any permission on