[WEB-4014] fix: check access when duplicating pages #7015

2025-05-06 01:20:33 +05:30 · 2025-05-06 01:20:33 +05:30 · b4cc2d83fe
commit b4cc2d83fe
parent 42e2b787f0
2 changed files with 14 additions and 4 deletions
--- a/apiserver/plane/app/views/page/base.py
+++ b/apiserver/plane/app/views/page/base.py
@ -42,6 +42,7 @@ from plane.bgtasks.page_version_task import page_version
 from plane.bgtasks.recent_visited_task import recent_visited_task
 from plane.bgtasks.copy_s3_object import copy_s3_objects

+
 def unarchive_archive_page_and_descendants(page_id, archived_at):
    # Your SQL query
    sql = """
@ -198,7 +199,7 @@ class PageViewSet(BaseViewSet):
        project = Project.objects.get(pk=project_id)

        """
-        if the role is guest and guest_view_all_features is false and owned by is not 
+        if the role is guest and guest_view_all_features is false and owned by is not
        the requesting user then dont show the page
        """

@ -572,6 +573,12 @@ class PageDuplicateEndpoint(BaseAPIView):
            pk=page_id, workspace__slug=slug, projects__id=project_id
        ).first()

+        # check for permission
+        if page.access == Page.PRIVATE_ACCESS and page.owned_by_id != request.user.id:
+            return Response(
+                {"error": "Permission denied"}, status=status.HTTP_403_FORBIDDEN
+            )
+
        # get all the project ids where page is present
        project_ids = ProjectPage.objects.filter(page_id=page_id).values_list(
            "project_id", flat=True
--- a/apiserver/plane/db/models/page.py
+++ b/apiserver/plane/db/models/page.py
@ -17,6 +17,11 @@ def get_view_props():


 class Page(BaseModel):
+    PRIVATE_ACCESS = 1
+    PUBLIC_ACCESS = 0
+
+    ACCESS_CHOICES = ((PRIVATE_ACCESS, "Private"), (PUBLIC_ACCESS, "Public"))
+
    workspace = models.ForeignKey(
        "db.Workspace", on_delete=models.CASCADE, related_name="pages"
    )
@ -91,9 +96,7 @@ class PageLog(BaseModel):
    transaction = models.UUIDField(default=uuid.uuid4)
    page = models.ForeignKey(Page, related_name="page_log", on_delete=models.CASCADE)
    entity_identifier = models.UUIDField(null=True)
-    entity_name = models.CharField(
-        max_length=30, verbose_name="Transaction Type"
-    )
+    entity_name = models.CharField(max_length=30, verbose_name="Transaction Type")
    workspace = models.ForeignKey(
        "db.Workspace", on_delete=models.CASCADE, related_name="workspace_page_log"
    )