[WEB-2443] fix: project intake edit permission (#5588)

* fix: project intake edit permission * chore: inbox issue validation changes * fix: intake edit permission updated * fix: project invite modal --------- Co-authored-by: NarayanBavisetti <narayan3119@gmail.com>
2024-09-12 14:44:21 +05:30 · 2024-09-12 14:44:21 +05:30 · 33dd5fe8cc
commit 33dd5fe8cc
parent aed2f2dd47
4 changed files with 57 additions and 35 deletions
--- a/apiserver/plane/app/views/inbox/base.py
+++ b/apiserver/plane/app/views/inbox/base.py
@ -170,6 +170,7 @@ class InboxIssueViewSet(BaseViewSet):
        inbox_id = Inbox.objects.get(
            workspace__slug=slug, project_id=project_id
        )
+        project = Project.objects.get(pk=project_id) 
        filters = issue_filters(request.GET, "GET", "issue__")
        inbox_issue = (
            InboxIssue.objects.filter(
@ -199,13 +200,16 @@ class InboxIssueViewSet(BaseViewSet):
        if inbox_status:
            inbox_issue = inbox_issue.filter(status__in=inbox_status)

-        if ProjectMember.objects.filter(
-            workspace__slug=slug,
-            project_id=project_id,
-            member=request.user,
-            role=5,
-            is_active=True,
-        ).exists():
+        if (
+            ProjectMember.objects.filter(
+                workspace__slug=slug,
+                project_id=project_id,
+                member=request.user,
+                role=5,
+                is_active=True,
+            ).exists()
+            and not project.guest_view_all_features
+        ):
            inbox_issue = inbox_issue.filter(created_by=request.user)
        return self.paginate(
            request=request,
@ -517,6 +521,7 @@ class InboxIssueViewSet(BaseViewSet):
        allowed_roles=[
            ROLE.ADMIN,
            ROLE.MEMBER,
+            ROLE.GUEST,
        ],
        creator=True,
        model=Issue,
@ -525,6 +530,7 @@ class InboxIssueViewSet(BaseViewSet):
        inbox_id = Inbox.objects.get(
            workspace__slug=slug, project_id=project_id
        )
+        project = Project.objects.get(pk=project_id)
        inbox_issue = (
            InboxIssue.objects.select_related("issue")
            .prefetch_related(
@ -551,6 +557,21 @@ class InboxIssueViewSet(BaseViewSet):
            )
            .get(inbox_id=inbox_id.id, issue_id=pk, project_id=project_id)
        )
+        if (
+            ProjectMember.objects.filter(
+                workspace__slug=slug,
+                project_id=project_id,
+                member=request.user,
+                role=5,
+                is_active=True,
+            ).exists()
+            and not project.guest_view_all_features
+            and not inbox_issue.created_by == request.user
+        ):
+            return Response(
+                {"error": "You are not allowed to view this issue"},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
        issue = InboxIssueDetailSerializer(inbox_issue).data
        return Response(
            issue,