diff --git a/apiserver/plane/app/urls/views.py b/apiserver/plane/app/urls/views.py index 3fab4f804..c081b107c 100644 --- a/apiserver/plane/app/urls/views.py +++ b/apiserver/plane/app/urls/views.py @@ -69,6 +69,15 @@ urlpatterns = [ ), name="workspace-duplicate-view", ), + path( + "workspaces//projects//views//lock/", + WorkspaceViewViewSet.as_view( + { + "post": "toggle_lock", + } + ), + name="project-lock-views", + ), path( "workspaces//projects//views/", ProjectViewViewSet.as_view( @@ -109,6 +118,15 @@ urlpatterns = [ ), name="project-duplicate-view", ), + path( + "workspaces//projects//views//lock/", + ProjectViewViewSet.as_view( + { + "post": "toggle_lock", + } + ), + name="project-lock-views", + ), path( "workspaces//projects//views//favorite/", ProjectViewFavoriteViewSet.as_view( diff --git a/apiserver/plane/app/views/view.py b/apiserver/plane/app/views/view.py index cad2ad576..24f7d5a70 100644 --- a/apiserver/plane/app/views/view.py +++ b/apiserver/plane/app/views/view.py @@ -194,6 +194,11 @@ class WorkspaceViewViewSet(BaseViewSet): .filter(pk=pk, workspace__slug=slug) .first() ) + if view.owned_by != self.request.user: + return Response( + {"error": "You cannot update the view"}, + status=status.HTTP_403_FORBIDDEN, + ) view.access = request.data.get("access", view.access) view.save(update_fields=["access"]) return Response(ViewSerializer(view).data, status=status.HTTP_200_OK) @@ -357,6 +362,11 @@ class ProjectViewViewSet(BaseViewSet): .filter(pk=pk, project_id=project_id, workspace__slug=slug) .first() ) + if view.owned_by != self.request.user: + return Response( + {"error": "You cannot update the view"}, + status=status.HTTP_403_FORBIDDEN, + ) view.access = request.data.get("access", view.access) view.save(update_fields=["access"]) return Response(ViewSerializer(view).data, status=status.HTTP_200_OK)