fix(demo): block external account actions

2026-06-07 00:50:42 +03:30
parent 30a324c6f4
commit 170ec90ec1
4 changed files with 47 additions and 3 deletions
--- a/apps/workspaces/api/views.py
+++ b/apps/workspaces/api/views.py
@@ -94,6 +94,14 @@ class WorkspaceViewSet(ModelViewSet):
    def perform_create(self, serializer):
        serializer.save(owner=self.request.user)

+    def create(self, request, *args, **kwargs):
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot create additional workspaces."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        return super().create(request, *args, **kwargs)
+
    @action(detail=True, methods=["get"], url_path="my-rates")
    def my_rates(self, request, pk=None):
        workspace = self.get_object()
@@ -246,7 +254,12 @@ class WorkspaceMembershipViewSet(ModelViewSet):
                status=status.HTTP_400_BAD_REQUEST
            )
            
-        workspace = get_object_or_404(Workspace, id=workspace_id)
+        workspace = get_object_or_404(Workspace, id=workspace_id)
+        if getattr(request.user, "is_demo", False):
+            return Response(
+                {"detail": "Demo accounts cannot add workspace members."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
        
        permission = IsWorkspaceAdmin()
        if not permission.has_object_permission(request, self, workspace):