fix(authz): restore get_accessible_org_ids and fix Account/PayoutAccount guards

get_accessible_org_ids is still needed by many services for list-filtering.
Also update AccountPolicyGuard and PayoutAccountPolicyGuard to reference
policy functions directly instead of removed wrapper functions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: joebon

server/polar/authz/dependencies.py

@@ -18,7 +18,7 @@
 
 from .policies import finance, members
 from .policies import organization as org_policy
-from .service import get_accessible_organization
+from .service import get_accessible_org_ids, get_accessible_organization
 from .types import PolicyFn
 
 
@@ -295,14 +295,14 @@ async def dependency(
 
 
 AuthorizeAccountRead = Annotated[
-    AuthorizedAccount, Depends(AccountPolicyGuard(_finance_can_read()))
+    AuthorizedAccount, Depends(AccountPolicyGuard(finance.can_read))
 ]
 AuthorizeAccountWrite = Annotated[
-    AuthorizedAccount, Depends(AccountPolicyGuard(_finance_can_write()))
+    AuthorizedAccount, Depends(AccountPolicyGuard(finance.can_write))
 ]
 AuthorizePayoutAccountRead = Annotated[
-    AuthorizedPayoutAccount, Depends(PayoutAccountPolicyGuard(_finance_can_read()))
+    AuthorizedPayoutAccount, Depends(PayoutAccountPolicyGuard(finance.can_read))
 ]
 AuthorizePayoutAccountWrite = Annotated[
-    AuthorizedPayoutAccount, Depends(PayoutAccountPolicyGuard(_finance_can_write()))
+    AuthorizedPayoutAccount, Depends(PayoutAccountPolicyGuard(finance.can_write))
 ]

server/polar/authz/repository.py

@@ -13,6 +13,15 @@ class AuthzRepository:
     def __init__(self, session: AsyncReadSession) -> None:
         self.session = session
 
+    async def get_user_org_ids(self, user_id: UUID) -> set[UUID]:
+        """Get all organization IDs a user is a member of."""
+        stmt = select(UserOrganization.organization_id).where(
+            UserOrganization.user_id == user_id,
+            UserOrganization.is_deleted.is_(False),
+        )
+        result = await self.session.scalars(stmt)
+        return set(result.all())
+
     async def get_accessible_organization(
         self,
         auth_subject: AuthSubject[User | Organization],

server/polar/authz/service.py

@@ -1,12 +1,25 @@
 from uuid import UUID
 
-from polar.auth.models import AuthSubject, Organization, User
+from polar.auth.models import AuthSubject, Organization, User, is_organization, is_user
 from polar.models.organization import Organization as OrganizationModel
 from polar.postgres import AsyncReadSession
 
 from .repository import AuthzRepository
 
 
+async def get_accessible_org_ids(
+    session: AsyncReadSession,
+    auth_subject: AuthSubject[User | Organization],
+) -> set[UUID]:
+    """Resolve which organization IDs this subject can access."""
+    if is_organization(auth_subject):
+        return {auth_subject.subject.id}
+    if is_user(auth_subject):
+        repository = AuthzRepository(session)
+        return await repository.get_user_org_ids(auth_subject.subject.id)
+    return set()
+
+
 async def get_accessible_organization(
     session: AsyncReadSession,
     auth_subject: AuthSubject[User | Organization],

server/polar/organization/service.py

@@ -11,7 +11,8 @@
 
 from polar.account.service import account as account_service
 from polar.auth.models import AuthSubject
-from polar.config import Environment, settings
+from polar.authz.service import get_accessible_org_ids
+from polar.config import settings
 from polar.customer.repository import CustomerRepository
 from polar.enums import InvoiceNumbering, SubscriptionProrationBehavior
 from polar.exceptions import PolarError, PolarRequestValidationError