mirror of
https://github.com/gosticks/plane.git
synced 2025-10-16 12:45:33 +00:00
[WEB-4899] fix: workspace admin cannot delete intake and cycle (#7807)
* fix: permission check on viewset * chore: check workspace admin * chore: initiative is_workspace_admin before if condition * chore: project member check * fix: if conditions * chore: add condition for guests to only edit description and name * fix: use ROLE enum instead of magic numbers * chore: remove if condition
This commit is contained in:
Sangeetha
GitHub
parent
d5c3c0cbe1
commit
e26c506cf9
@ -504,19 +504,6 @@ class CycleViewSet(BaseViewSet):
|
|||||||
@allow_permission([ROLE.ADMIN], creator=True, model=Cycle)
|
@allow_permission([ROLE.ADMIN], creator=True, model=Cycle)
|
||||||
def destroy(self, request, slug, project_id, pk):
|
def destroy(self, request, slug, project_id, pk):
|
||||||
cycle = Cycle.objects.get(workspace__slug=slug, project_id=project_id, pk=pk)
|
cycle = Cycle.objects.get(workspace__slug=slug, project_id=project_id, pk=pk)
|
||||||
if cycle.owned_by_id != request.user.id and not (
|
|
||||||
ProjectMember.objects.filter(
|
|
||||||
workspace__slug=slug,
|
|
||||||
member=request.user,
|
|
||||||
role=20,
|
|
||||||
project_id=project_id,
|
|
||||||
is_active=True,
|
|
||||||
).exists()
|
|
||||||
):
|
|
||||||
return Response(
|
|
||||||
{"error": "Only admin or owner can delete the cycle"},
|
|
||||||
status=status.HTTP_403_FORBIDDEN,
|
|
||||||
)
|
|
||||||
|
|
||||||
cycle_issues = list(
|
cycle_issues = list(
|
||||||
CycleIssue.objects.filter(cycle_id=self.kwargs.get("pk")).values_list(
|
CycleIssue.objects.filter(cycle_id=self.kwargs.get("pk")).values_list(
|
||||||
|
|||||||
@ -28,6 +28,7 @@ from plane.db.models import (
|
|||||||
ProjectMember,
|
ProjectMember,
|
||||||
CycleIssue,
|
CycleIssue,
|
||||||
IssueDescriptionVersion,
|
IssueDescriptionVersion,
|
||||||
|
WorkspaceMember,
|
||||||
)
|
)
|
||||||
from plane.app.serializers import (
|
from plane.app.serializers import (
|
||||||
IssueCreateSerializer,
|
IssueCreateSerializer,
|
||||||
@ -348,17 +349,32 @@ class IntakeIssueViewSet(BaseViewSet):
|
|||||||
project_id=project_id,
|
project_id=project_id,
|
||||||
intake_id=intake_id,
|
intake_id=intake_id,
|
||||||
)
|
)
|
||||||
# Get the project member
|
|
||||||
project_member = ProjectMember.objects.get(
|
project_member = ProjectMember.objects.filter(
|
||||||
workspace__slug=slug,
|
workspace__slug=slug,
|
||||||
project_id=project_id,
|
project_id=project_id,
|
||||||
member=request.user,
|
member=request.user,
|
||||||
is_active=True,
|
is_active=True,
|
||||||
)
|
).first()
|
||||||
|
|
||||||
|
is_workspace_admin = WorkspaceMember.objects.filter(
|
||||||
|
workspace__slug=slug,
|
||||||
|
is_active=True,
|
||||||
|
member=request.user,
|
||||||
|
role=ROLE.ADMIN.value,
|
||||||
|
).exists()
|
||||||
|
|
||||||
|
if not project_member and not is_workspace_admin:
|
||||||
|
return Response(
|
||||||
|
{"error": "Only admin or creator can update the intake work items"},
|
||||||
|
status=status.HTTP_403_FORBIDDEN,
|
||||||
|
)
|
||||||
|
|
||||||
# Only project members admins and created_by users can access this endpoint
|
# Only project members admins and created_by users can access this endpoint
|
||||||
if project_member.role <= 5 and str(intake_issue.created_by_id) != str(
|
if (
|
||||||
request.user.id
|
(project_member and project_member.role <= ROLE.GUEST.value)
|
||||||
):
|
and not is_workspace_admin
|
||||||
|
) and str(intake_issue.created_by_id) != str(request.user.id):
|
||||||
return Response(
|
return Response(
|
||||||
{"error": "You cannot edit intake issues"},
|
{"error": "You cannot edit intake issues"},
|
||||||
status=status.HTTP_400_BAD_REQUEST,
|
status=status.HTTP_400_BAD_REQUEST,
|
||||||
@ -391,8 +407,8 @@ class IntakeIssueViewSet(BaseViewSet):
|
|||||||
Value([], output_field=ArrayField(UUIDField())),
|
Value([], output_field=ArrayField(UUIDField())),
|
||||||
),
|
),
|
||||||
).get(pk=intake_issue.issue_id, workspace__slug=slug, project_id=project_id)
|
).get(pk=intake_issue.issue_id, workspace__slug=slug, project_id=project_id)
|
||||||
# Only allow guests to edit name and description
|
|
||||||
if project_member.role <= 5:
|
if project_member and project_member.role <= ROLE.GUEST.value:
|
||||||
issue_data = {
|
issue_data = {
|
||||||
"name": issue_data.get("name", issue.name),
|
"name": issue_data.get("name", issue.name),
|
||||||
"description_html": issue_data.get(
|
"description_html": issue_data.get(
|
||||||
@ -400,6 +416,7 @@ class IntakeIssueViewSet(BaseViewSet):
|
|||||||
),
|
),
|
||||||
"description": issue_data.get("description", issue.description),
|
"description": issue_data.get("description", issue.description),
|
||||||
}
|
}
|
||||||
|
|
||||||
current_instance = json.dumps(
|
current_instance = json.dumps(
|
||||||
IssueDetailSerializer(issue).data, cls=DjangoJSONEncoder
|
IssueDetailSerializer(issue).data, cls=DjangoJSONEncoder
|
||||||
)
|
)
|
||||||
@ -436,8 +453,10 @@ class IntakeIssueViewSet(BaseViewSet):
|
|||||||
issue_serializer.errors, status=status.HTTP_400_BAD_REQUEST
|
issue_serializer.errors, status=status.HTTP_400_BAD_REQUEST
|
||||||
)
|
)
|
||||||
|
|
||||||
# Only project admins and members can edit intake issue attributes
|
# Only project admins can edit intake issue attributes
|
||||||
if project_member.role > 15:
|
if (
|
||||||
|
project_member and project_member.role > ROLE.MEMBER.value
|
||||||
|
) or is_workspace_admin:
|
||||||
serializer = IntakeIssueSerializer(
|
serializer = IntakeIssueSerializer(
|
||||||
intake_issue, data=request.data, partial=True
|
intake_issue, data=request.data, partial=True
|
||||||
)
|
)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user