[WEB-2043] chore: updated permissions for delete operation (#5231)

* chore: added permission for delete operation * chore: added permission for external apis * chore: condition changes * chore: minor changes
2024-07-26 16:42:51 +05:30 · 2024-07-26 16:42:51 +05:30 · 2c609670c8
commit 2c609670c8
parent dfcba4dfc1
11 changed files with 197 additions and 52 deletions
--- a/apiserver/plane/app/views/module/base.py
+++ b/apiserver/plane/app/views/module/base.py
@ -48,6 +48,7 @@ from plane.db.models import (
    ModuleLink,
    ModuleUserProperties,
    Project,
+    ProjectMember,
 )
 from plane.utils.analytics_plot import burndown_plot
 from plane.utils.user_timezone_converter import user_timezone_converter
@ -737,6 +738,21 @@ class ModuleViewSet(BaseViewSet):
        module = Module.objects.get(
            workspace__slug=slug, project_id=project_id, pk=pk
        )
+
+        if module.created_by_id != request.user.id and (
+            not ProjectMember.objects.filter(
+                workspace__slug=slug,
+                member=request.user,
+                role=20,
+                project_id=project_id,
+                is_active=True,
+            ).exists()
+        ):
+            return Response(
+                {"error": "Only admin or creator can delete the module"},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+
        module_issues = list(
            ModuleIssue.objects.filter(module_id=pk).values_list(
                "issue", flat=True