[WEB-2043] chore: updated permissions for delete operation (#5231)

* chore: added permission for delete operation * chore: added permission for external apis * chore: condition changes * chore: minor changes
2024-07-26 16:42:51 +05:30 · 2024-07-26 16:42:51 +05:30 · 2c609670c8
commit 2c609670c8
parent dfcba4dfc1
11 changed files with 197 additions and 52 deletions
--- a/apiserver/plane/app/views/view/base.py
+++ b/apiserver/plane/app/views/view/base.py
@ -116,6 +116,20 @@ class WorkspaceViewViewSet(BaseViewSet):
            pk=pk,
            workspace__slug=slug,
        )
+        if not (
+            WorkspaceMember.objects.filter(
+                workspace__slug=slug,
+                member=request.user,
+                role=20,
+                is_active=True,
+            ).exists()
+            and workspace_view.owned_by_id != request.user.id
+        ):
+            return Response(
+                {"error": "You do not have permission to delete this view"},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+
        workspace_member = WorkspaceMember.objects.filter(
            workspace__slug=slug,
            member=request.user,
@ -412,14 +426,16 @@ class IssueViewViewSet(BaseViewSet):
            project_id=project_id,
            workspace__slug=slug,
        )
-        project_member = ProjectMember.objects.filter(
-            workspace__slug=slug,
-            project_id=project_id,
-            member=request.user,
-            role=20,
-            is_active=True,
-        )
-        if project_member.exists() or project_view.owned_by == request.user:
+        if (
+            ProjectMember.objects.filter(
+                workspace__slug=slug,
+                project_id=project_id,
+                member=request.user,
+                role=20,
+                is_active=True,
+            ).exists()
+            or project_view.owned_by_id == request.user.id
+        ):
            project_view.delete()
        else:
            return Response(