[WEB-1674] chore: views access control (#4885)
* chore: access control changes in views * chore: view serializer change
This commit is contained in:
Bavisetti Narayan
GitHub
parent
f3bafb02d1
commit
198452430f
2 changed files with 59 additions and 6 deletions
|
|
@ -3,18 +3,12 @@ from rest_framework import serializers
|
||||||
|
|
||||||
# Module imports
|
# Module imports
|
||||||
from .base import DynamicBaseSerializer
|
from .base import DynamicBaseSerializer
|
||||||
from .workspace import WorkspaceLiteSerializer
|
|
||||||
from .project import ProjectLiteSerializer
|
|
||||||
from plane.db.models import IssueView
|
from plane.db.models import IssueView
|
||||||
from plane.utils.issue_filters import issue_filters
|
from plane.utils.issue_filters import issue_filters
|
||||||
|
|
||||||
|
|
||||||
class IssueViewSerializer(DynamicBaseSerializer):
|
class IssueViewSerializer(DynamicBaseSerializer):
|
||||||
is_favorite = serializers.BooleanField(read_only=True)
|
is_favorite = serializers.BooleanField(read_only=True)
|
||||||
project_detail = ProjectLiteSerializer(source="project", read_only=True)
|
|
||||||
workspace_detail = WorkspaceLiteSerializer(
|
|
||||||
source="workspace", read_only=True
|
|
||||||
)
|
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
model = IssueView
|
model = IssueView
|
||||||
|
|
@ -24,6 +18,8 @@ class IssueViewSerializer(DynamicBaseSerializer):
|
||||||
"project",
|
"project",
|
||||||
"query",
|
"query",
|
||||||
"owned_by",
|
"owned_by",
|
||||||
|
"access",
|
||||||
|
"is_locked",
|
||||||
]
|
]
|
||||||
|
|
||||||
def create(self, validated_data):
|
def create(self, validated_data):
|
||||||
|
|
|
||||||
|
|
@ -69,11 +69,40 @@ class WorkspaceViewViewSet(BaseViewSet):
|
||||||
.get_queryset()
|
.get_queryset()
|
||||||
.filter(workspace__slug=self.kwargs.get("slug"))
|
.filter(workspace__slug=self.kwargs.get("slug"))
|
||||||
.filter(project__isnull=True)
|
.filter(project__isnull=True)
|
||||||
|
.filter(Q(owned_by=self.request.user) | Q(access=1))
|
||||||
.select_related("workspace")
|
.select_related("workspace")
|
||||||
.order_by(self.request.GET.get("order_by", "-created_at"))
|
.order_by(self.request.GET.get("order_by", "-created_at"))
|
||||||
.distinct()
|
.distinct()
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def partial_update(self, request, slug, pk):
|
||||||
|
workspace_view = IssueView.objects.get(
|
||||||
|
pk=pk,
|
||||||
|
workspace__slug=slug,
|
||||||
|
)
|
||||||
|
|
||||||
|
if workspace_view.is_locked:
|
||||||
|
return Response(
|
||||||
|
{"error": "view is locked"},
|
||||||
|
status=status.HTTP_400_BAD_REQUEST,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Only update the view if owner is updating
|
||||||
|
if workspace_view.owned_by_id != request.user.id:
|
||||||
|
return Response(
|
||||||
|
{"error": "Only the owner of the view can update the view"},
|
||||||
|
status=status.HTTP_400_BAD_REQUEST,
|
||||||
|
)
|
||||||
|
|
||||||
|
serializer = IssueViewSerializer(
|
||||||
|
workspace_view, data=request.data, partial=True
|
||||||
|
)
|
||||||
|
|
||||||
|
if serializer.is_valid():
|
||||||
|
serializer.save()
|
||||||
|
return Response(serializer.data, status=status.HTTP_200_OK)
|
||||||
|
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
||||||
|
|
||||||
|
|
||||||
class WorkspaceViewIssuesViewSet(BaseViewSet):
|
class WorkspaceViewIssuesViewSet(BaseViewSet):
|
||||||
permission_classes = [
|
permission_classes = [
|
||||||
|
|
@ -294,6 +323,7 @@ class IssueViewViewSet(BaseViewSet):
|
||||||
project__project_projectmember__is_active=True,
|
project__project_projectmember__is_active=True,
|
||||||
project__archived_at__isnull=True,
|
project__archived_at__isnull=True,
|
||||||
)
|
)
|
||||||
|
.filter(Q(owned_by=self.request.user) | Q(access=1))
|
||||||
.select_related("project")
|
.select_related("project")
|
||||||
.select_related("workspace")
|
.select_related("workspace")
|
||||||
.annotate(is_favorite=Exists(subquery))
|
.annotate(is_favorite=Exists(subquery))
|
||||||
|
|
@ -313,6 +343,33 @@ class IssueViewViewSet(BaseViewSet):
|
||||||
).data
|
).data
|
||||||
return Response(views, status=status.HTTP_200_OK)
|
return Response(views, status=status.HTTP_200_OK)
|
||||||
|
|
||||||
|
def partial_update(self, request, slug, project_id, pk):
|
||||||
|
issue_view = IssueView.objects.get(
|
||||||
|
pk=pk, workspace__slug=slug, project_id=project_id
|
||||||
|
)
|
||||||
|
|
||||||
|
if issue_view.is_locked:
|
||||||
|
return Response(
|
||||||
|
{"error": "view is locked"},
|
||||||
|
status=status.HTTP_400_BAD_REQUEST,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Only update the view if owner is updating
|
||||||
|
if issue_view.owned_by_id != request.user.id:
|
||||||
|
return Response(
|
||||||
|
{"error": "Only the owner of the view can update the view"},
|
||||||
|
status=status.HTTP_400_BAD_REQUEST,
|
||||||
|
)
|
||||||
|
|
||||||
|
serializer = IssueViewSerializer(
|
||||||
|
issue_view, data=request.data, partial=True
|
||||||
|
)
|
||||||
|
|
||||||
|
if serializer.is_valid():
|
||||||
|
serializer.save()
|
||||||
|
return Response(serializer.data, status=status.HTTP_200_OK)
|
||||||
|
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
||||||
|
|
||||||
|
|
||||||
class IssueViewFavoriteViewSet(BaseViewSet):
|
class IssueViewFavoriteViewSet(BaseViewSet):
|
||||||
model = UserFavorite
|
model = UserFavorite
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue