From 7bb157971d96d0197a3bc08602213776138735d2 Mon Sep 17 00:00:00 2001
From: pablohashescobar <nikhilschacko@gmail.com>
Date: Thu, 9 Nov 2023 18:52:08 +0530
Subject: [PATCH] dev: permission check

---
 apiserver/plane/api/views/project.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/apiserver/plane/api/views/project.py b/apiserver/plane/api/views/project.py
index 20d2df8eb..40182c42e 100644
--- a/apiserver/plane/api/views/project.py
+++ b/apiserver/plane/api/views/project.py
@@ -352,7 +352,17 @@ class InviteProjectEndpoint(BaseAPIView):
 
     def post(self, request, slug, project_id):
         email = request.data.get("email", False)
-        role = request.data.get("role", False)
+        role = request.data.get("role", 15)
+
+        requested_user_role = ProjectMember.objects.get(
+            workspace__slug=slug, project_id=project_id, member_id=request.user.id
+        )
+
+        if int(role) > int(requested_user_role.role):
+            return Response(
+                {"error": "You cannot invite a user with higher role."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
 
         # Check if email is provided
         if not email:
@@ -413,7 +423,6 @@ class InviteProjectEndpoint(BaseAPIView):
         )
 
 
-
 class UserProjectInvitationsViewset(BaseViewSet):
     serializer_class = ProjectMemberInviteSerializer
     model = ProjectMemberInvite