From b2d524e702a6ade018292069a326215b8a4491fe Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Wed, 29 Apr 2026 20:22:56 +0100
Subject: [PATCH] fix(mt-12): remove PM/CLIENT legacy bypass in
 _assert_client_access

The unconditional `if user.role in (CLIENT, PROJECT_MANAGER): return`
allowed any PM to access any client regardless of membership. Removed;
kept pm_client_ids legacy fallback for pre-migration users.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 backend/app/api/v1/routes_clients.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/backend/app/api/v1/routes_clients.py b/backend/app/api/v1/routes_clients.py
index be53c2b..481cd8e 100644
--- a/backend/app/api/v1/routes_clients.py
+++ b/backend/app/api/v1/routes_clients.py
@@ -484,6 +484,4 @@ async def _assert_client_access(user: User, client_id: str, db: AsyncIOMotorData
     # Legacy fallback for pre-migration users
     if user.role == UserRole.PROJECT_MANAGER and client_id in (user.pm_client_ids or []):
         return
-    if user.role in (UserRole.CLIENT, UserRole.PROJECT_MANAGER):
-        return
     raise HTTPException(status_code=403, detail="Insufficient permissions")