forked from github/plane
dev: permission check
This commit is contained in:
pablohashescobar
parent
16d26a41f4
commit
7bb157971d
@ -352,7 +352,17 @@ class InviteProjectEndpoint(BaseAPIView):
|
|||||||
|
|
||||||
def post(self, request, slug, project_id):
|
def post(self, request, slug, project_id):
|
||||||
email = request.data.get("email", False)
|
email = request.data.get("email", False)
|
||||||
role = request.data.get("role", False)
|
role = request.data.get("role", 15)
|
||||||
|
|
||||||
|
requested_user_role = ProjectMember.objects.get(
|
||||||
|
workspace__slug=slug, project_id=project_id, member_id=request.user.id
|
||||||
|
)
|
||||||
|
|
||||||
|
if int(role) > int(requested_user_role.role):
|
||||||
|
return Response(
|
||||||
|
{"error": "You cannot invite a user with higher role."},
|
||||||
|
status=status.HTTP_400_BAD_REQUEST,
|
||||||
|
)
|
||||||
|
|
||||||
# Check if email is provided
|
# Check if email is provided
|
||||||
if not email:
|
if not email:
|
||||||
@ -413,7 +423,6 @@ class InviteProjectEndpoint(BaseAPIView):
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class UserProjectInvitationsViewset(BaseViewSet):
|
class UserProjectInvitationsViewset(BaseViewSet):
|
||||||
serializer_class = ProjectMemberInviteSerializer
|
serializer_class = ProjectMemberInviteSerializer
|
||||||
model = ProjectMemberInvite
|
model = ProjectMemberInvite
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user