[WEB-2357] fix: update and redefine user roles across the platform (#5466)

* chore: removed viewer role * chore: indentation * chore: remove viewer role * chore: handled user permissions in store * chore: updated the migration file * chore: updated user permissions store * chore: removed the owner key * chore: code refactor * chore: code refactor * chore: code refactor * chore: code refactor * chore: code refactor * fix: build error * chore: updated user permissions store and handled the permissions fetch in workspace and project wrappers * chore: package user enum updated * chore: user permission updated * chore: user permission updated * chore: resolved build errors * chore: resolved build error * chore: resolved build errors * chore: computedFn deep map issue resolved * chore: added back migration * chore: added new field in project table * chore: removed member store in users * chore: private project for admins * chore: workspace notification access validation updated * fix: workspace member edit option * fix: project intake permission validation updated * chore: workspace export settings permission updated * chore: guest_view_all_issues added * chore: guest_view_all_issues added * chore: key changed for guest access * chore: added validation for individual issues * chore: changed the dashboard issues count * chore: added new yarn file * chore: modified yarn file * chore: project page permission updated * chore: project page permission updated * chore: member setting ux updated * chore: build error * fix: yarn lock * fix: build error --------- Co-authored-by: gurusainath <gurusainath007@gmail.com> Co-authored-by: Anmol Singh Bhatia <anmolsinghbhatia@plane.so>
2024-09-11 17:10:15 +05:30 · 2024-09-11 17:10:15 +05:30 · fdcd9a376c
commit fdcd9a376c
parent 7013a36629
172 changed files with 2057 additions and 1627 deletions
--- a/apiserver/plane/app/views/view/base.py
+++ b/apiserver/plane/app/views/view/base.py
@ -35,6 +35,7 @@ from plane.db.models import (
    Workspace,
    WorkspaceMember,
    ProjectMember,
+    Project,
 )
 from plane.utils.grouper import (
    issue_group_values,
@ -75,7 +76,7 @@ class WorkspaceViewViewSet(BaseViewSet):
        )

    @allow_permission(
-        allowed_roles=[ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER, ROLE.GUEST],
+        allowed_roles=[ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST],
        level="WORKSPACE",
    )
    def list(self, request, slug):
@ -259,7 +260,7 @@ class WorkspaceViewIssuesViewSet(BaseViewSet):

    @method_decorator(gzip_page)
    @allow_permission(
-        allowed_roles=[ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER, ROLE.GUEST],
+        allowed_roles=[ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST],
        level="WORKSPACE",
    )
    def list(self, request, slug):
@ -272,15 +273,24 @@ class WorkspaceViewIssuesViewSet(BaseViewSet):
            .annotate(cycle_id=F("issue_cycle__cycle_id"))
        )

-        if WorkspaceMember.objects.filter(
-            workspace__slug=slug,
-            member=request.user,
-            role=5,
-            is_active=True,
-        ).exists():
-            issue_queryset = issue_queryset.filter(
-                created_by=request.user,
+        # check for the project member role, if the role is 5 then check for the guest_view_all_features if it is true then show all the issues else show only the issues created by the user
+
+        issue_queryset = issue_queryset.filter(
+            Q(
+                project__project_projectmember__role=5,
+                project__guest_view_all_features=True,
            )
+            | Q(
+                project__project_projectmember__role=5,
+                project__guest_view_all_features=False,
+                created_by=self.request.user,
+            )
+            |
+            # For other roles (role < 5), show all issues
+            Q(project__project_projectmember__role__gt=5),
+            project__project_projectmember__member=self.request.user,
+            project__project_projectmember__is_active=True,
+        )

        # Issue queryset
        issue_queryset, order_by_param = order_issue_queryset(
@ -421,19 +431,21 @@ class IssueViewViewSet(BaseViewSet):
            .distinct()
        )

-    allow_permission(
-        allowed_roles=[ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER, ROLE.GUEST]
-    )
+    allow_permission(allowed_roles=[ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST])

    def list(self, request, slug, project_id):
        queryset = self.get_queryset()
-        if ProjectMember.objects.filter(
-            workspace__slug=slug,
-            project_id=project_id,
-            member=request.user,
-            role=5,
-            is_active=True,
-        ).exists():
+        project = Project.objects.get(id=project_id)
+        if (
+            ProjectMember.objects.filter(
+                workspace__slug=slug,
+                project_id=project_id,
+                member=request.user,
+                role=5,
+                is_active=True,
+            ).exists()
+            and not project.guest_view_all_features
+        ):
            queryset = queryset.filter(owned_by=request.user)
        fields = [
            field
@ -445,14 +457,34 @@ class IssueViewViewSet(BaseViewSet):
        ).data
        return Response(views, status=status.HTTP_200_OK)

-    allow_permission(
-        allowed_roles=[ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER, ROLE.GUEST]
-    )
+    allow_permission(allowed_roles=[ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST])

    def retrieve(self, request, slug, project_id, pk):
        issue_view = (
            self.get_queryset().filter(pk=pk, project_id=project_id).first()
        )
+        project = Project.objects.get(id=project_id)
+        """
+        if the role is guest and guest_view_all_features is false and owned by is not 
+        the requesting user then dont show the view
+        """
+
+        if (
+            ProjectMember.objects.filter(
+                workspace__slug=slug,
+                project_id=project_id,
+                member=request.user,
+                role=5,
+                is_active=True,
+            ).exists()
+            and not project.guest_view_all_features
+            and not issue_view.owned_by == request.user
+        ):
+            return Response(
+                {"error": "You are not allowed to view this issue"},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+
        serializer = IssueViewSerializer(issue_view)
        recent_visited_task.delay(
            slug=slug,