[WEB-4854] chore: project admin accesss to workspace admins (#7749)

* chore: project admin accesss to workspace admins * chore: frontend changes * chore: remove console.log * chore: refactor permission decorator * chore: role enum * chore: rearrange role_choices
2025-09-11 14:16:36 +05:30 · 2025-09-11 14:16:36 +05:30 · ec541c2557
commit ec541c2557
parent 11cd8d11e4
5 changed files with 92 additions and 29 deletions
--- a/apps/api/plane/app/permissions/base.py
+++ b/apps/api/plane/app/permissions/base.py
@ -39,13 +39,31 @@ def allow_permission(allowed_roles, level="PROJECT", creator=False, model=None):
                ).exists():
                    return view_func(instance, request, *args, **kwargs)
            else:
-                if ProjectMember.objects.filter(
+                is_user_has_allowed_role = ProjectMember.objects.filter(
                    member=request.user,
                    workspace__slug=kwargs["slug"],
                    project_id=kwargs["project_id"],
                    role__in=allowed_role_values,
                    is_active=True,
-                ).exists():
+                ).exists()
+
+                # Return if the user has the allowed role else if they are workspace admin and part of the project regardless of the role
+                if is_user_has_allowed_role:
+                    return view_func(instance, request, *args, **kwargs)
+                elif (
+                    ProjectMember.objects.filter(
+                        member=request.user,
+                        workspace__slug=kwargs["slug"],
+                        project_id=kwargs["project_id"],
+                        is_active=True,
+                    ).exists()
+                    and WorkspaceMember.objects.filter(
+                        member=request.user,
+                        workspace__slug=kwargs["slug"],
+                        role=ROLE.ADMIN.value,
+                        is_active=True,
+                    ).exists()
+                ):
                    return view_func(instance, request, *args, **kwargs)

            # Return permission denied if no conditions are met
--- a/apps/api/plane/app/permissions/project.py
+++ b/apps/api/plane/app/permissions/project.py
@ -3,11 +3,7 @@ from rest_framework.permissions import SAFE_METHODS, BasePermission

 # Module import
 from plane.db.models import ProjectMember, WorkspaceMember
-
-# Permission Mappings
-Admin = 20
-Member = 15
-Guest = 5
+from plane.db.models.project import ROLE


 class ProjectBasePermission(BasePermission):
@ -26,18 +22,31 @@ class ProjectBasePermission(BasePermission):
            return WorkspaceMember.objects.filter(
                workspace__slug=view.workspace_slug,
                member=request.user,
-                role__in=[Admin, Member],
+                role__in=[ROLE.ADMIN.value, ROLE.MEMBER.value],
                is_active=True,
            ).exists()

-        ## Only Project Admins can update project attributes
-        return ProjectMember.objects.filter(
+        project_member_qs = ProjectMember.objects.filter(
            workspace__slug=view.workspace_slug,
            member=request.user,
-            role=Admin,
            project_id=view.project_id,
            is_active=True,
-        ).exists()
+        )
+
+        ## Only project admins or workspace admin who is part of the project can access
+
+        if project_member_qs.filter(role=ROLE.ADMIN.value).exists():
+            return True
+        else:
+            return (
+                project_member_qs.exists()
+                and WorkspaceMember.objects.filter(
+                    member=request.user,
+                    workspace__slug=view.workspace_slug,
+                    role=ROLE.ADMIN.value,
+                    is_active=True,
+                ).exists()
+            )


 class ProjectMemberPermission(BasePermission):
@ -55,7 +64,7 @@ class ProjectMemberPermission(BasePermission):
            return WorkspaceMember.objects.filter(
                workspace__slug=view.workspace_slug,
                member=request.user,
-                role__in=[Admin, Member],
+                role__in=[ROLE.ADMIN.value, ROLE.MEMBER.value],
                is_active=True,
            ).exists()

@ -63,7 +72,7 @@ class ProjectMemberPermission(BasePermission):
        return ProjectMember.objects.filter(
            workspace__slug=view.workspace_slug,
            member=request.user,
-            role__in=[Admin, Member],
+            role__in=[ROLE.ADMIN.value, ROLE.MEMBER.value],
            project_id=view.project_id,
            is_active=True,
        ).exists()
@ -97,7 +106,7 @@ class ProjectEntityPermission(BasePermission):
        return ProjectMember.objects.filter(
            workspace__slug=view.workspace_slug,
            member=request.user,
-            role__in=[Admin, Member],
+            role__in=[ROLE.ADMIN.value, ROLE.MEMBER.value],
            project_id=view.project_id,
            is_active=True,
        ).exists()
--- a/apps/api/plane/app/views/project/base.py
+++ b/apps/api/plane/app/views/project/base.py
@ -5,13 +5,12 @@ from django.utils import timezone
 import json

 # Django imports
-from django.db import IntegrityError
 from django.db.models import Exists, F, OuterRef, Prefetch, Q, Subquery
 from django.core.serializers.json import DjangoJSONEncoder

 # Third Party imports
 from rest_framework.response import Response
-from rest_framework import serializers, status
+from rest_framework import status
 from rest_framework.permissions import AllowAny

 # Module imports
@ -106,7 +105,10 @@ class ProjectViewSet(BaseViewSet):
        fields = [field for field in request.GET.get("fields", "").split(",") if field]
        projects = self.get_queryset().order_by("sort_order", "name")
        if WorkspaceMember.objects.filter(
-            member=request.user, workspace__slug=slug, is_active=True, role=5
+            member=request.user,
+            workspace__slug=slug,
+            is_active=True,
+            role=ROLE.GUEST.value,
        ).exists():
            projects = projects.filter(
                project_projectmember__member=self.request.user,
@ -114,7 +116,10 @@ class ProjectViewSet(BaseViewSet):
            )

        if WorkspaceMember.objects.filter(
-            member=request.user, workspace__slug=slug, is_active=True, role=15
+            member=request.user,
+            workspace__slug=slug,
+            is_active=True,
+            role=ROLE.MEMBER.value,
        ).exists():
            projects = projects.filter(
                Q(
@ -189,7 +194,10 @@ class ProjectViewSet(BaseViewSet):
        )

        if WorkspaceMember.objects.filter(
-            member=request.user, workspace__slug=slug, is_active=True, role=5
+            member=request.user,
+            workspace__slug=slug,
+            is_active=True,
+            role=ROLE.GUEST.value,
        ).exists():
            projects = projects.filter(
                project_projectmember__member=self.request.user,
@ -197,7 +205,10 @@ class ProjectViewSet(BaseViewSet):
            )

        if WorkspaceMember.objects.filter(
-            member=request.user, workspace__slug=slug, is_active=True, role=15
+            member=request.user,
+            workspace__slug=slug,
+            is_active=True,
+            role=ROLE.MEMBER.value,
        ).exists():
            projects = projects.filter(
                Q(
@ -250,7 +261,9 @@ class ProjectViewSet(BaseViewSet):

            # Add the user as Administrator to the project
            _ = ProjectMember.objects.create(
-                project_id=serializer.data["id"], member=request.user, role=20
+                project_id=serializer.data["id"],
+                member=request.user,
+                role=ROLE.ADMIN.value,
            )
            # Also create the issue property for the user
            _ = IssueUserProperty.objects.create(
@ -263,7 +276,7 @@ class ProjectViewSet(BaseViewSet):
                ProjectMember.objects.create(
                    project_id=serializer.data["id"],
                    member_id=serializer.data["project_lead"],
-                    role=20,
+                    role=ROLE.ADMIN.value,
                )
                # Also create the issue property for the user
                IssueUserProperty.objects.create(
@ -341,13 +354,23 @@ class ProjectViewSet(BaseViewSet):

    def partial_update(self, request, slug, pk=None):
        # try:
-        if not ProjectMember.objects.filter(
+        is_workspace_admin = WorkspaceMember.objects.filter(
+            member=request.user,
+            workspace__slug=slug,
+            is_active=True,
+            role=ROLE.ADMIN.value,
+        ).exists()
+
+        is_project_admin = ProjectMember.objects.filter(
            member=request.user,
            workspace__slug=slug,
            project_id=pk,
-            role=20,
+            role=ROLE.ADMIN.value,
            is_active=True,
-        ).exists():
+        ).exists()
+
+        # Return error for if the user is neither workspace admin nor project admin
+        if not is_project_admin and not is_workspace_admin:
            return Response(
                {"error": "You don't have the required permissions."},
                status=status.HTTP_403_FORBIDDEN,
@ -402,13 +425,16 @@ class ProjectViewSet(BaseViewSet):
    def destroy(self, request, slug, pk):
        if (
            WorkspaceMember.objects.filter(
-                member=request.user, workspace__slug=slug, is_active=True, role=20
+                member=request.user,
+                workspace__slug=slug,
+                is_active=True,
+                role=ROLE.ADMIN.value,
            ).exists()
            or ProjectMember.objects.filter(
                member=request.user,
                workspace__slug=slug,
                project_id=pk,
-                role=20,
+                role=ROLE.ADMIN.value,
                is_active=True,
            ).exists()
        ):