From 6de6522a41154866ae7b3272d6ab9e86eea5aeaa Mon Sep 17 00:00:00 2001 From: pablohashescobar <118773738+pablohashescobar@users.noreply.github.com> Date: Sat, 11 Mar 2023 23:51:06 +0530 Subject: [PATCH] chore: permissions for api endpoints (#419) --- apiserver/plane/api/views/cycle.py | 26 +++++++++++++++++++ apiserver/plane/api/views/integration/base.py | 24 ++++++++++++++++- .../plane/api/views/integration/github.py | 18 +++++++++++++ apiserver/plane/api/views/module.py | 5 ++++ 4 files changed, 72 insertions(+), 1 deletion(-) diff --git a/apiserver/plane/api/views/cycle.py b/apiserver/plane/api/views/cycle.py index 9a1f40a6d..899c2a956 100644 --- a/apiserver/plane/api/views/cycle.py +++ b/apiserver/plane/api/views/cycle.py @@ -263,6 +263,11 @@ class CycleIssueViewSet(BaseViewSet): class CycleDateCheckEndpoint(BaseAPIView): + + permission_classes = [ + ProjectEntityPermission, + ] + def post(self, request, slug, project_id): try: start_date = request.data.get("start_date") @@ -294,6 +299,11 @@ class CycleDateCheckEndpoint(BaseAPIView): class CurrentUpcomingCyclesEndpoint(BaseAPIView): + + permission_classes = [ + ProjectEntityPermission, + ] + def get(self, request, slug, project_id): try: subquery = CycleFavorite.objects.filter( @@ -332,6 +342,12 @@ class CurrentUpcomingCyclesEndpoint(BaseAPIView): class CompletedCyclesEndpoint(BaseAPIView): + + permission_classes = [ + ProjectEntityPermission, + ] + + def get(self, request, slug, project_id): try: subquery = CycleFavorite.objects.filter( @@ -364,6 +380,11 @@ class CompletedCyclesEndpoint(BaseAPIView): class DraftCyclesEndpoint(BaseAPIView): + + permission_classes = [ + ProjectEntityPermission, + ] + def get(self, request, slug, project_id): try: draft_cycles = Cycle.objects.filter( @@ -386,6 +407,11 @@ class DraftCyclesEndpoint(BaseAPIView): class CycleFavoriteViewSet(BaseViewSet): + + permission_classes = [ + ProjectEntityPermission, + ] + serializer_class = CycleFavoriteSerializer model = CycleFavorite diff --git a/apiserver/plane/api/views/integration/base.py b/apiserver/plane/api/views/integration/base.py index 4f15c347f..8312afa01 100644 --- a/apiserver/plane/api/views/integration/base.py +++ b/apiserver/plane/api/views/integration/base.py @@ -25,7 +25,7 @@ from plane.utils.integrations.github import ( get_github_metadata, delete_github_installation, ) - +from plane.api.permissions import WorkSpaceAdminPermission class IntegrationViewSet(BaseViewSet): serializer_class = IntegrationSerializer @@ -75,11 +75,33 @@ class IntegrationViewSet(BaseViewSet): status=status.HTTP_400_BAD_REQUEST, ) + def destroy(self, request, pk): + try: + integration = Integration.objects.get(pk=pk) + if integration.verified: + return Response( + {"error": "Verified integrations cannot be updated"}, + status=status.HTTP_400_BAD_REQUEST, + ) + + integration.delete() + return Response(status=status.HTTP_204_NO_CONTENT) + except Integration.DoesNotExist: + return Response( + {"error": "Integration Does not exist"}, + status=status.HTTP_404_NOT_FOUND, + ) + class WorkspaceIntegrationViewSet(BaseViewSet): serializer_class = WorkspaceIntegrationSerializer model = WorkspaceIntegration + permission_classes = [ + WorkSpaceAdminPermission, + ] + + def get_queryset(self): return ( super() diff --git a/apiserver/plane/api/views/integration/github.py b/apiserver/plane/api/views/integration/github.py index 5660e9d90..85e1efa7e 100644 --- a/apiserver/plane/api/views/integration/github.py +++ b/apiserver/plane/api/views/integration/github.py @@ -20,9 +20,14 @@ from plane.api.serializers import ( GithubCommentSyncSerializer, ) from plane.utils.integrations.github import get_github_repos +from plane.api.permissions import ProjectBasePermission, ProjectEntityPermission class GithubRepositoriesEndpoint(BaseAPIView): + permission_classes = [ + ProjectBasePermission, + ] + def get(self, request, slug, workspace_integration_id): try: page = request.GET.get("page", 1) @@ -44,6 +49,10 @@ class GithubRepositoriesEndpoint(BaseAPIView): class GithubRepositorySyncViewSet(BaseViewSet): + permission_classes = [ + ProjectBasePermission, + ] + serializer_class = GithubRepositorySyncSerializer model = GithubRepositorySync @@ -148,6 +157,10 @@ class GithubRepositorySyncViewSet(BaseViewSet): class GithubIssueSyncViewSet(BaseViewSet): + permission_classes = [ + ProjectEntityPermission, + ] + serializer_class = GithubIssueSyncSerializer model = GithubIssueSync @@ -159,6 +172,11 @@ class GithubIssueSyncViewSet(BaseViewSet): class GithubCommentSyncViewSet(BaseViewSet): + + permission_classes = [ + ProjectEntityPermission, + ] + serializer_class = GithubCommentSyncSerializer model = GithubCommentSync diff --git a/apiserver/plane/api/views/module.py b/apiserver/plane/api/views/module.py index ce74cfdff..3633859d5 100644 --- a/apiserver/plane/api/views/module.py +++ b/apiserver/plane/api/views/module.py @@ -307,6 +307,11 @@ class ModuleLinkViewSet(BaseViewSet): class ModuleFavoriteViewSet(BaseViewSet): + + permission_classes = [ + ProjectEntityPermission, + ] + serializer_class = ModuleFavoriteSerializer model = ModuleFavorite