diff --git a/app/routers/api_crud_v3.py b/app/routers/api_crud_v3.py index c7c5a0d..c39824c 100644 --- a/app/routers/api_crud_v3.py +++ b/app/routers/api_crud_v3.py @@ -487,9 +487,13 @@ async def post_obj( # Enforce account ownership AFTER sanitize_payload so the integer account_id goes straight # to the DB without conflicting with Vision ID string constraints in the model. + # Guard: skip if the model explicitly excludes account_id from DB writes (e.g. event_badge, + # event_device — the column does not exist in those tables). if not account.super and account.auth_method != 'bypass' and account.account_id: if 'account_id' in input_model.__fields__: - data_to_insert['account_id'] = account.account_id + excluded = getattr(input_model, 'fields_to_exclude_from_db', []) + if 'account_id' not in excluded: + data_to_insert['account_id'] = account.account_id if sql_insert_result := sql_insert(data=data_to_insert, table_name=table_name_insert): new_obj_id = sql_insert_result diff --git a/app/routers/api_crud_v3_nested.py b/app/routers/api_crud_v3_nested.py index 7386305..82c2e2b 100644 --- a/app/routers/api_crud_v3_nested.py +++ b/app/routers/api_crud_v3_nested.py @@ -332,9 +332,13 @@ async def post_child_obj( # Enforce account ownership AFTER sanitize_payload so the integer account_id goes # straight to the DB without conflicting with Vision ID string constraints in the model. + # Guard: skip if the model explicitly excludes account_id from DB writes (e.g. event_badge, + # event_device — the column does not exist in those tables). if not account.super and account.auth_method != 'bypass' and account.account_id: if 'account_id' in input_model.__fields__: - data_to_insert['account_id'] = account.account_id + excluded = getattr(input_model, 'fields_to_exclude_from_db', []) + if 'account_id' not in excluded: + data_to_insert['account_id'] = account.account_id # Re-inject parent FK last — overrides anything sanitize_payload or the model may have # set — ensuring the child is always linked to the correct parent.