vhad/plane
1
0
Fork 0
mirror of https://github.com/gosticks/plane.git synced 2025-10-16 12:45:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[WEB-4899] fix: workspace admin cannot delete intake and cycle (#7807)

Browse Source 
* fix: permission check on viewset

* chore: check workspace admin

* chore: initiative is_workspace_admin before if condition

* chore: project member check

* fix: if conditions

* chore: add condition for guests to only edit description and name

* fix: use ROLE enum instead of magic numbers

* chore: remove if condition
This commit is contained in:
Sangeetha 2025-09-18 20:11:35 +05:30 committed by GitHub
parent d5c3c0cbe1
commit e26c506cf9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 29 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
apps/api/plane/app/views/cycle/base.py
View File

@ -504,19 +504,6 @@ class CycleViewSet(BaseViewSet):
@allow_permission([ROLE.ADMIN], creator=True, model=Cycle)
def destroy(self, request, slug, project_id, pk):
cycle = Cycle.objects.get(workspace__slug=slug, project_id=project_id, pk=pk)
if cycle.owned_by_id != request.user.id and not (
ProjectMember.objects.filter(
workspace__slug=slug,
member=request.user,
role=20,
project_id=project_id,
is_active=True,
).exists()
):
return Response(
{"error": "Only admin or owner can delete the cycle"},
status=status.HTTP_403_FORBIDDEN,
)
cycle_issues = list(
CycleIssue.objects.filter(cycle_id=self.kwargs.get("pk")).values_list(

39
apps/api/plane/app/views/intake/base.py
View File

@ -28,6 +28,7 @@ from plane.db.models import (
ProjectMember,
CycleIssue,
IssueDescriptionVersion,
WorkspaceMember,
)
from plane.app.serializers import (
IssueCreateSerializer,
@ -348,17 +349,32 @@ class IntakeIssueViewSet(BaseViewSet):
project_id=project_id,
intake_id=intake_id,
)
# Get the project member
project_member = ProjectMember.objects.get(
project_member = ProjectMember.objects.filter(
workspace__slug=slug,
project_id=project_id,
member=request.user,
is_active=True,
)
).first()
is_workspace_admin = WorkspaceMember.objects.filter(
workspace__slug=slug,
is_active=True,
member=request.user,
role=ROLE.ADMIN.value,
).exists()
if not project_member and not is_workspace_admin:
return Response(
{"error": "Only admin or creator can update the intake work items"},
status=status.HTTP_403_FORBIDDEN,
)
# Only project members admins and created_by users can access this endpoint
if project_member.role <= 5 and str(intake_issue.created_by_id) != str(
request.user.id
):
if (
(project_member and project_member.role <= ROLE.GUEST.value)
and not is_workspace_admin
) and str(intake_issue.created_by_id) != str(request.user.id):
return Response(
{"error": "You cannot edit intake issues"},
status=status.HTTP_400_BAD_REQUEST,
@ -391,8 +407,8 @@ class IntakeIssueViewSet(BaseViewSet):
Value([], output_field=ArrayField(UUIDField())),
),
).get(pk=intake_issue.issue_id, workspace__slug=slug, project_id=project_id)
# Only allow guests to edit name and description
if project_member.role <= 5:
if project_member and project_member.role <= ROLE.GUEST.value:
issue_data = {
"name": issue_data.get("name", issue.name),
"description_html": issue_data.get(
@ -400,6 +416,7 @@ class IntakeIssueViewSet(BaseViewSet):
),
"description": issue_data.get("description", issue.description),
}
current_instance = json.dumps(
IssueDetailSerializer(issue).data, cls=DjangoJSONEncoder
)
@ -436,8 +453,10 @@ class IntakeIssueViewSet(BaseViewSet):
issue_serializer.errors, status=status.HTTP_400_BAD_REQUEST
)
# Only project admins and members can edit intake issue attributes
if project_member.role > 15:
# Only project admins can edit intake issue attributes
if (
project_member and project_member.role > ROLE.MEMBER.value
) or is_workspace_admin:
serializer = IntakeIssueSerializer(
intake_issue, data=request.data, partial=True
)