chore: permissions for api endpoints (#419)

2023-03-11 23:51:06 +05:30 · 2023-03-11 23:51:06 +05:30 · 6de6522a41
commit 6de6522a41
parent bff89ee4c6
4 changed files with 72 additions and 1 deletions
--- a/apiserver/plane/api/views/cycle.py
+++ b/apiserver/plane/api/views/cycle.py
@ -263,6 +263,11 @@ class CycleIssueViewSet(BaseViewSet):


 class CycleDateCheckEndpoint(BaseAPIView):
+
+    permission_classes = [
+        ProjectEntityPermission,
+    ]    
+
    def post(self, request, slug, project_id):
        try:
            start_date = request.data.get("start_date")
@ -294,6 +299,11 @@ class CycleDateCheckEndpoint(BaseAPIView):


 class CurrentUpcomingCyclesEndpoint(BaseAPIView):
+
+    permission_classes = [
+        ProjectEntityPermission,
+    ]
+    
    def get(self, request, slug, project_id):
        try:
            subquery = CycleFavorite.objects.filter(
@ -332,6 +342,12 @@ class CurrentUpcomingCyclesEndpoint(BaseAPIView):


 class CompletedCyclesEndpoint(BaseAPIView):
+
+    permission_classes = [
+        ProjectEntityPermission,
+    ]    
+
+    
    def get(self, request, slug, project_id):
        try:
            subquery = CycleFavorite.objects.filter(
@ -364,6 +380,11 @@ class CompletedCyclesEndpoint(BaseAPIView):


 class DraftCyclesEndpoint(BaseAPIView):
+
+    permission_classes = [
+        ProjectEntityPermission,
+    ]    
+
    def get(self, request, slug, project_id):
        try:
            draft_cycles = Cycle.objects.filter(
@ -386,6 +407,11 @@ class DraftCyclesEndpoint(BaseAPIView):


 class CycleFavoriteViewSet(BaseViewSet):
+
+    permission_classes = [
+        ProjectEntityPermission,
+    ]
+    
    serializer_class = CycleFavoriteSerializer
    model = CycleFavorite

--- a/apiserver/plane/api/views/integration/base.py
+++ b/apiserver/plane/api/views/integration/base.py
@ -25,7 +25,7 @@ from plane.utils.integrations.github import (
    get_github_metadata,
    delete_github_installation,
 )
-
+from plane.api.permissions import WorkSpaceAdminPermission

 class IntegrationViewSet(BaseViewSet):
    serializer_class = IntegrationSerializer
@ -75,11 +75,33 @@ class IntegrationViewSet(BaseViewSet):
                status=status.HTTP_400_BAD_REQUEST,
            )

+    def destroy(self, request, pk):
+        try:
+            integration = Integration.objects.get(pk=pk)
+            if integration.verified:
+                return Response(
+                    {"error": "Verified integrations cannot be updated"},
+                    status=status.HTTP_400_BAD_REQUEST,
+                )
+
+            integration.delete()
+            return Response(status=status.HTTP_204_NO_CONTENT)
+        except Integration.DoesNotExist:
+            return Response(
+                {"error": "Integration Does not exist"},
+                status=status.HTTP_404_NOT_FOUND,
+            )
+

 class WorkspaceIntegrationViewSet(BaseViewSet):
    serializer_class = WorkspaceIntegrationSerializer
    model = WorkspaceIntegration

+    permission_classes = [
+        WorkSpaceAdminPermission,
+    ]
+
+
    def get_queryset(self):
        return (
            super()
--- a/apiserver/plane/api/views/integration/github.py
+++ b/apiserver/plane/api/views/integration/github.py
@ -20,9 +20,14 @@ from plane.api.serializers import (
    GithubCommentSyncSerializer,
 )
 from plane.utils.integrations.github import get_github_repos
+from plane.api.permissions import ProjectBasePermission, ProjectEntityPermission


 class GithubRepositoriesEndpoint(BaseAPIView):
+    permission_classes = [
+        ProjectBasePermission,
+    ]
+
    def get(self, request, slug, workspace_integration_id):
        try:
            page = request.GET.get("page", 1)
@ -44,6 +49,10 @@ class GithubRepositoriesEndpoint(BaseAPIView):


 class GithubRepositorySyncViewSet(BaseViewSet):
+    permission_classes = [
+        ProjectBasePermission,
+    ]
+
    serializer_class = GithubRepositorySyncSerializer
    model = GithubRepositorySync

@ -148,6 +157,10 @@ class GithubRepositorySyncViewSet(BaseViewSet):


 class GithubIssueSyncViewSet(BaseViewSet):
+    permission_classes = [
+        ProjectEntityPermission,
+    ]
+
    serializer_class = GithubIssueSyncSerializer
    model = GithubIssueSync

@ -159,6 +172,11 @@ class GithubIssueSyncViewSet(BaseViewSet):


 class GithubCommentSyncViewSet(BaseViewSet):
+
+    permission_classes = [
+        ProjectEntityPermission,
+    ]
+    
    serializer_class = GithubCommentSyncSerializer
    model = GithubCommentSync

--- a/apiserver/plane/api/views/module.py
+++ b/apiserver/plane/api/views/module.py
@ -307,6 +307,11 @@ class ModuleLinkViewSet(BaseViewSet):


 class ModuleFavoriteViewSet(BaseViewSet):
+
+    permission_classes = [
+        ProjectEntityPermission,
+    ]
+
    serializer_class = ModuleFavoriteSerializer
    model = ModuleFavorite