From b4cc2d83fecef3ebf4b0b3498255ae653b8ebb77 Mon Sep 17 00:00:00 2001
From: Nikhil <118773738+pablohashescobar@users.noreply.github.com>
Date: Tue, 6 May 2025 01:20:33 +0530
Subject: [PATCH] [WEB-4014] fix: check access when duplicating pages #7015

---
 apiserver/plane/app/views/page/base.py | 9 ++++++++-
 apiserver/plane/db/models/page.py      | 9 ++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/apiserver/plane/app/views/page/base.py b/apiserver/plane/app/views/page/base.py
index e8a3c3ffd..26e9223b8 100644
--- a/apiserver/plane/app/views/page/base.py
+++ b/apiserver/plane/app/views/page/base.py
@@ -42,6 +42,7 @@ from plane.bgtasks.page_version_task import page_version
 from plane.bgtasks.recent_visited_task import recent_visited_task
 from plane.bgtasks.copy_s3_object import copy_s3_objects
 
+
 def unarchive_archive_page_and_descendants(page_id, archived_at):
     # Your SQL query
     sql = """
@@ -198,7 +199,7 @@ class PageViewSet(BaseViewSet):
         project = Project.objects.get(pk=project_id)
 
         """
-        if the role is guest and guest_view_all_features is false and owned by is not 
+        if the role is guest and guest_view_all_features is false and owned by is not
         the requesting user then dont show the page
         """
 
@@ -572,6 +573,12 @@ class PageDuplicateEndpoint(BaseAPIView):
             pk=page_id, workspace__slug=slug, projects__id=project_id
         ).first()
 
+        # check for permission
+        if page.access == Page.PRIVATE_ACCESS and page.owned_by_id != request.user.id:
+            return Response(
+                {"error": "Permission denied"}, status=status.HTTP_403_FORBIDDEN
+            )
+
         # get all the project ids where page is present
         project_ids = ProjectPage.objects.filter(page_id=page_id).values_list(
             "project_id", flat=True
diff --git a/apiserver/plane/db/models/page.py b/apiserver/plane/db/models/page.py
index 5f4fb2744..5be9c6164 100644
--- a/apiserver/plane/db/models/page.py
+++ b/apiserver/plane/db/models/page.py
@@ -17,6 +17,11 @@ def get_view_props():
 
 
 class Page(BaseModel):
+    PRIVATE_ACCESS = 1
+    PUBLIC_ACCESS = 0
+
+    ACCESS_CHOICES = ((PRIVATE_ACCESS, "Private"), (PUBLIC_ACCESS, "Public"))
+
     workspace = models.ForeignKey(
         "db.Workspace", on_delete=models.CASCADE, related_name="pages"
     )
@@ -91,9 +96,7 @@ class PageLog(BaseModel):
     transaction = models.UUIDField(default=uuid.uuid4)
     page = models.ForeignKey(Page, related_name="page_log", on_delete=models.CASCADE)
     entity_identifier = models.UUIDField(null=True)
-    entity_name = models.CharField(
-        max_length=30, verbose_name="Transaction Type"
-    )
+    entity_name = models.CharField(max_length=30, verbose_name="Transaction Type")
     workspace = models.ForeignKey(
         "db.Workspace", on_delete=models.CASCADE, related_name="workspace_page_log"
     )