[WEB-2443] fix: project intake edit permission (#5588)

* fix: project intake edit permission * chore: inbox issue validation changes * fix: intake edit permission updated * fix: project invite modal --------- Co-authored-by: NarayanBavisetti <narayan3119@gmail.com>
2024-09-12 14:44:21 +05:30 · 2024-09-12 14:44:21 +05:30 · 33dd5fe8cc
commit 33dd5fe8cc
parent aed2f2dd47
4 changed files with 57 additions and 35 deletions
--- a/apiserver/plane/app/views/inbox/base.py
+++ b/apiserver/plane/app/views/inbox/base.py
@ -170,6 +170,7 @@ class InboxIssueViewSet(BaseViewSet):
        inbox_id = Inbox.objects.get(
            workspace__slug=slug, project_id=project_id
        )
+        project = Project.objects.get(pk=project_id) 
        filters = issue_filters(request.GET, "GET", "issue__")
        inbox_issue = (
            InboxIssue.objects.filter(
@ -199,13 +200,16 @@ class InboxIssueViewSet(BaseViewSet):
        if inbox_status:
            inbox_issue = inbox_issue.filter(status__in=inbox_status)

-        if ProjectMember.objects.filter(
-            workspace__slug=slug,
-            project_id=project_id,
-            member=request.user,
-            role=5,
-            is_active=True,
-        ).exists():
+        if (
+            ProjectMember.objects.filter(
+                workspace__slug=slug,
+                project_id=project_id,
+                member=request.user,
+                role=5,
+                is_active=True,
+            ).exists()
+            and not project.guest_view_all_features
+        ):
            inbox_issue = inbox_issue.filter(created_by=request.user)
        return self.paginate(
            request=request,
@ -517,6 +521,7 @@ class InboxIssueViewSet(BaseViewSet):
        allowed_roles=[
            ROLE.ADMIN,
            ROLE.MEMBER,
+            ROLE.GUEST,
        ],
        creator=True,
        model=Issue,
@ -525,6 +530,7 @@ class InboxIssueViewSet(BaseViewSet):
        inbox_id = Inbox.objects.get(
            workspace__slug=slug, project_id=project_id
        )
+        project = Project.objects.get(pk=project_id)
        inbox_issue = (
            InboxIssue.objects.select_related("issue")
            .prefetch_related(
@ -551,6 +557,21 @@ class InboxIssueViewSet(BaseViewSet):
            )
            .get(inbox_id=inbox_id.id, issue_id=pk, project_id=project_id)
        )
+        if (
+            ProjectMember.objects.filter(
+                workspace__slug=slug,
+                project_id=project_id,
+                member=request.user,
+                role=5,
+                is_active=True,
+            ).exists()
+            and not project.guest_view_all_features
+            and not inbox_issue.created_by == request.user
+        ):
+            return Response(
+                {"error": "You are not allowed to view this issue"},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
        issue = InboxIssueDetailSerializer(inbox_issue).data
        return Response(
            issue,
--- a/apiserver/plane/app/views/project/invite.py
+++ b/apiserver/plane/app/views/project/invite.py
@ -17,7 +17,7 @@ from rest_framework.permissions import AllowAny
 from .base import BaseViewSet, BaseAPIView
 from plane.app.serializers import ProjectMemberInviteSerializer

-from plane.app.permissions import ProjectBasePermission
+from plane.app.permissions import allow_permission, ROLE

 from plane.db.models import (
    ProjectMember,
@ -35,10 +35,6 @@ class ProjectInvitationsViewset(BaseViewSet):

    search_fields = []

-    permission_classes = [
-        ProjectBasePermission,
-    ]
-
    def get_queryset(self):
        return self.filter_queryset(
            super()
@ -49,6 +45,7 @@ class ProjectInvitationsViewset(BaseViewSet):
            .select_related("workspace", "workspace__owner")
        )

+    @allow_permission([ROLE.ADMIN])
    def create(self, request, slug, project_id):
        emails = request.data.get("emails", [])

@ -59,24 +56,21 @@ class ProjectInvitationsViewset(BaseViewSet):
                status=status.HTTP_400_BAD_REQUEST,
            )

-        requesting_user = ProjectMember.objects.get(
-            workspace__slug=slug,
-            project_id=project_id,
-            member_id=request.user.id,
-        )
+        for email in emails:
+            workspace_role = WorkspaceMember.objects.filter(
+                workspace__slug=slug,
+                member__email=email.get("email"),
+                is_active=True,
+            ).role

-        # Check if any invited user has an higher role
-        if len(
-            [
-                email
-                for email in emails
-                if int(email.get("role", 5)) > requesting_user.role
-            ]
-        ):
-            return Response(
-                {"error": "You cannot invite a user with higher role"},
-                status=status.HTTP_400_BAD_REQUEST,
-            )
+            if workspace_role in [5, 20] and workspace_role != email.get(
+                "role", 5
+            ):
+                return Response(
+                    {
+                        "error": "You cannot invite a user with different role than workspace role"
+                    },
+                )

        workspace = Workspace.objects.get(slug=slug)