chore: Page auth and other improvements (#3011)

* chore: project query optimised * chore: page permissions changed
2024-06-14 14:31:34 +00:00 · 2023-12-06 19:30:40 +05:30 · 2023-12-06 19:30:40 +05:30 · 55ce748aa1
commit 55ce748aa1
parent c3f3578e8b
5 changed files with 47 additions and 62 deletions
--- a/apiserver/plane/api/views/inbox.py
+++ b/apiserver/plane/api/views/inbox.py
@ -103,7 +103,7 @@ class InboxIssueAPIEndpoint(BaseAPIView):
        if inbox is None and not project.inbox_view:
            return Response(
                {
-                    "error": "Inbox is not enabled for this project enable it through the project settings"
+                    "error": "Inbox is not enabled for this project enable it through the project's api"
                },
                status=status.HTTP_400_BAD_REQUEST,
            )
@ -177,7 +177,7 @@ class InboxIssueAPIEndpoint(BaseAPIView):
        if inbox is None and not project.inbox_view:
            return Response(
                {
-                    "error": "Inbox is not enabled for this project enable it through the project settings"
+                    "error": "Inbox is not enabled for this project enable it through the project's api"
                },
                status=status.HTTP_400_BAD_REQUEST,
            )
@ -311,7 +311,7 @@ class InboxIssueAPIEndpoint(BaseAPIView):
        if inbox is None and not project.inbox_view:
            return Response(
                {
-                    "error": "Inbox is not enabled for this project enable it through the project settings"
+                    "error": "Inbox is not enabled for this project enable it through the project's api"
                },
                status=status.HTTP_400_BAD_REQUEST,
            )
--- a/apiserver/plane/app/serializers/project.py
+++ b/apiserver/plane/app/serializers/project.py
@ -103,16 +103,19 @@ class ProjectListSerializer(DynamicBaseSerializer):
    members = serializers.SerializerMethodField()

    def get_members(self, obj):
-        project_members = ProjectMember.objects.filter(
-            project_id=obj.id,
-            is_active=True,
-        ).values(
-            "id",
-            "member_id",
-            "member__display_name",
-            "member__avatar",
-        )
-        return list(project_members)
+        project_members = getattr(obj, "members_list", None)
+        if project_members is not None:
+            # Filter members by the project ID
+            return [
+                {
+                    "id": member.id,
+                    "member_id": member.member_id,
+                    "member__display_name": member.member.display_name,
+                    "member__avatar": member.member.avatar,
+                }
+                for member in project_members
+            ]
+        return []

    class Meta:
        model = Project
--- a/apiserver/plane/app/views/init.py
+++ b/apiserver/plane/app/views/init.py
@ -130,7 +130,6 @@ from .page import (
    PageFavoriteViewSet,
    PageLogEndpoint,
    SubPagesEndpoint,
-    CreateIssueFromBlockEndpoint,
 )

 from .search import GlobalSearchEndpoint, IssueSearchEndpoint
--- a/apiserver/plane/app/views/page.py
+++ b/apiserver/plane/app/views/page.py
@ -22,6 +22,7 @@ from plane.db.models import (
    IssueAssignee,
    IssueActivity,
    PageLog,
+    ProjectMember,
 )
 from plane.app.serializers import (
    PageSerializer,
@ -140,12 +141,6 @@ class PageViewSet(BaseViewSet):
            pk=page_id, workspace__slug=slug, project_id=project_id
        ).first()

-        # only the owner can lock the page
-        if request.user.id != page.owned_by_id:
-            return Response(
-                {"error": "Only the page owner can lock the page"},
-            )
-
        page.is_locked = True
        page.save()
        return Response(status=status.HTTP_204_NO_CONTENT)
@ -155,12 +150,6 @@ class PageViewSet(BaseViewSet):
            pk=page_id, workspace__slug=slug, project_id=project_id
        ).first()

-        # only the owner can unlock the page
-        if request.user.id != page.owned_by_id:
-            return Response(
-                {"error": "Only the page owner can unlock the page"},
-                status=status.HTTP_400_BAD_REQUEST,
-            )
        page.is_locked = False
        page.save()

@ -175,10 +164,16 @@ class PageViewSet(BaseViewSet):
    def archive(self, request, slug, project_id, page_id):
        page = Page.objects.get(pk=page_id, workspace__slug=slug, project_id=project_id)

-        if page.owned_by_id != request.user.id:
+        # only the owner and admin can archive the page
+        if (
+            ProjectMember.objects.filter(
+                project_id=project_id, member=request.user, is_active=True, role__gt=20
+            ).exists()
+            or request.user.id != page.owned_by_id
+        ):
            return Response(
-                {"error": "Only the owner of the page can archive a page"},
-                status=status.HTTP_204_NO_CONTENT,
+                {"error": "Only the owner and admin can archive the page"},
+                status=status.HTTP_400_BAD_REQUEST,
            )

        unarchive_archive_page_and_descendants(page_id, datetime.now())
@ -188,9 +183,15 @@ class PageViewSet(BaseViewSet):
    def unarchive(self, request, slug, project_id, page_id):
        page = Page.objects.get(pk=page_id, workspace__slug=slug, project_id=project_id)

-        if page.owned_by_id != request.user.id:
+        # only the owner and admin can un archive the page
+        if (
+            ProjectMember.objects.filter(
+                project_id=project_id, member=request.user, is_active=True, role__gt=20
+            ).exists()
+            or request.user.id != page.owned_by_id
+        ):
            return Response(
-                {"error": "Only the owner of the page can unarchive a page"},
+                {"error": "Only the owner and admin can un archive the page"},
                status=status.HTTP_400_BAD_REQUEST,
            )

@ -216,6 +217,18 @@ class PageViewSet(BaseViewSet):
    def destroy(self, request, slug, project_id, pk):
        page = Page.objects.get(pk=pk, workspace__slug=slug, project_id=project_id)

+        # only the owner and admin can delete the page
+        if (
+            ProjectMember.objects.filter(
+                project_id=project_id, member=request.user, is_active=True, role__gt=20
+            ).exists()
+            or request.user.id != page.owned_by_id
+        ):
+            return Response(
+                {"error": "Only the owner and admin can delete the page"},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+
        if page.archived_at is None:
            return Response(
                {"error": "The page should be archived before deleting"},
@ -227,7 +240,6 @@ class PageViewSet(BaseViewSet):
            parent_id=pk, project_id=project_id, workspace__slug=slug
        ).update(parent=None)

-
        page.delete()
        return Response(status=status.HTTP_204_NO_CONTENT)

@ -310,36 +322,6 @@ class PageLogEndpoint(BaseAPIView):
        return Response(status=status.HTTP_204_NO_CONTENT)


-class CreateIssueFromBlockEndpoint(BaseAPIView):
-    permission_classes = [
-        ProjectEntityPermission,
-    ]
-
-    def post(self, request, slug, project_id, page_id):
-        page = Page.objects.get(
-            workspace__slug=slug,
-            project_id=project_id,
-            pk=page_id,
-        )
-        issue = Issue.objects.create(
-            name=request.data.get("name"),
-            project_id=project_id,
-        )
-        _ = IssueAssignee.objects.create(
-            issue=issue, assignee=request.user, project_id=project_id
-        )
-
-        _ = IssueActivity.objects.create(
-            issue=issue,
-            actor=request.user,
-            project_id=project_id,
-            comment=f"created the issue from {page.name} block",
-            verb="created",
-        )
-
-        return Response(IssueLiteSerializer(issue).data, status=status.HTTP_200_OK)
-
-
 class SubPagesEndpoint(BaseAPIView):
    permission_classes = [
        ProjectEntityPermission,
--- a/apiserver/plane/app/views/project.py
+++ b/apiserver/plane/app/views/project.py
@ -165,6 +165,7 @@ class ProjectViewSet(WebhookMixin, BaseViewSet):
                        workspace__slug=slug,
                        is_active=True,
                    ).select_related("member"),
+                    to_attr='members_list'
                )
            )
            .order_by("sort_order", "name")