From 4af5134726f87481293e6c22e9f12bb365beb3c8 Mon Sep 17 00:00:00 2001
From: xds <iam@voroninv.ru>
Date: Wed, 18 Feb 2026 17:06:17 +0300
Subject: [PATCH] fixes

---
 api/endpoints/generation_router.py | 49 ++++++++++++++++++------------
 1 file changed, 29 insertions(+), 20 deletions(-)

diff --git a/api/endpoints/generation_router.py b/api/endpoints/generation_router.py
index d7db815..5eaf1d9 100644
--- a/api/endpoints/generation_router.py
+++ b/api/endpoints/generation_router.py
@@ -1,26 +1,31 @@
+import logging
+import os
+import json
 from typing import List, Optional
 
 from fastapi import APIRouter, UploadFile, File, Form, Header, HTTPException
 from fastapi.params import Depends
+from starlette import status
 from starlette.requests import Request
 
-from api import service
 from api.dependency import get_generation_service, get_project_id, get_dao
-from repos.dao import DAO
-
-from api.models import GenerationResponse, GenerationRequest, GenerationsResponse, PromptResponse, PromptRequest, GenerationGroupResponse
-from api.models import FinancialReport
+from api.endpoints.auth import get_current_user
+from api.models import (
+    GenerationResponse, 
+    GenerationRequest, 
+    GenerationsResponse, 
+    PromptResponse, 
+    PromptRequest, 
+    GenerationGroupResponse,
+    FinancialReport,
+    ExternalGenerationRequest
+)
 from api.service.generation_service import GenerationService
-from models.Generation import Generation
-
-from starlette import status
-
-import logging
+from repos.dao import DAO
+from utils.external_auth import verify_signature
 
 logger = logging.getLogger(__name__)
 
-from api.endpoints.auth import get_current_user
-
 router = APIRouter(prefix='/api/generations', tags=["Generation"])
 
 
@@ -162,7 +167,15 @@ async def get_generation(generation_id: str,
     logger.debug(f"get_generation called for ID: {generation_id}")
     gen = await generation_service.get_generation(generation_id)
     if gen and gen.created_by != str(current_user["_id"]):
-        raise HTTPException(status_code=403, detail="Access denied")
+        # Check project membership
+        is_member = False
+        if gen.project_id:
+            project = await generation_service.dao.projects.get_project(gen.project_id)
+            if project and str(current_user["_id"]) in project.members:
+                is_member = True
+        
+        if not is_member:
+            raise HTTPException(status_code=403, detail="Access denied")
     return gen
 
 
@@ -178,11 +191,8 @@ async def import_external_generation(
     Import a generation from an external source.
     Requires server-to-server authentication via HMAC signature.
     """
-        import os
-        from utils.external_auth import verify_signature
-        from api.models import ExternalGenerationRequest
-    
-        logger.info("import_external_generation called")    
+
+    logger.info("import_external_generation called")
     # Get raw request body for signature verification
     body = await request.body()
     
@@ -197,7 +207,6 @@ async def import_external_generation(
         raise HTTPException(status_code=401, detail="Invalid signature")
     
     # Parse request body
-    import json
     try:
         data = json.loads(body.decode('utf-8'))
         external_gen = ExternalGenerationRequest(**data)
@@ -222,4 +231,4 @@ async def delete_generation(generation_id: str,
     deleted = await generation_service.delete_generation(generation_id)
     if not deleted:
         raise HTTPException(status_code=404, detail="Generation not found")
-    return None 
\ No newline at end of file
+    return None