[WEB-1985] chore: page access control (#5154)

* chore: page access control * chore: page access update endpoint updated --------- Co-authored-by: Anmol Singh Bhatia <anmolsinghbhatia@plane.so>
2024-07-19 15:43:01 +05:30 · 2024-07-19 15:43:01 +05:30 · 39a607ac0a
commit 39a607ac0a
parent d3c3d3c5ab
4 changed files with 42 additions and 2 deletions
--- a/apiserver/plane/app/views/page/base.py
+++ b/apiserver/plane/app/views/page/base.py
@ -245,6 +245,28 @@ class PageViewSet(BaseViewSet):

        return Response(status=status.HTTP_204_NO_CONTENT)

+    def access(self, request, slug, project_id, pk):
+        access = request.data.get("access", 0)
+        page = Page.objects.filter(
+            pk=pk, workspace__slug=slug, projects__id=project_id
+        ).first()
+
+        # Only update access if the page owner is the requesting user
+        if (
+            page.access != request.data.get("access", page.access)
+            and page.owned_by_id != request.user.id
+        ):
+            return Response(
+                {
+                    "error": "Access cannot be updated since this page is owned by someone else"
+                },
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+
+        page.access = access
+        page.save()
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
    def list(self, request, slug, project_id):
        queryset = self.get_queryset()
        pages = PageSerializer(queryset, many=True).data