Primo commit

utils/auth_middleware.py

@@ -161,17 +161,18 @@ def require_manager_or_admin(user=Depends(get_current_user)):
 def check_manager_access_to_user(current_user, target_user, db: Session) -> bool:
     """
     Check if current_user (manager) has access to target_user.
-    Admins always have access. Managers can only access users they manage.
+    Admins always have access. Managers can only access users in their Office.
     Returns True if access granted, raises HTTPException if not.
     """
     if current_user.role == "admin":
         return True
 
     if current_user.role == "manager":
-        if target_user.manager_id != current_user.id:
+        # Access granted if they are in the same office
+        if not current_user.office_id or target_user.office_id != current_user.office_id:
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
-                detail="User is not managed by you"
+                detail="User is not in your office"
             )
         return True