initial commit

2026-03-11 17:12:28 +08:00
commit 5d1e1cb7cb
61 changed files with 2971 additions and 0 deletions
--- a/apps/workspaces/api/permissions.py
+++ b/apps/workspaces/api/permissions.py
@@ -0,0 +1,108 @@
+from rest_framework import permissions
+
+from apps.workspaces.models import Workspace, WorkspaceMembership
+
+
+class IsWorkspaceOwner(permissions.BasePermission):
+    """
+    Permission check: 
+    - User must be the explicit 'owner' on the Workspace model.
+    - OR User must have a WorkspaceMembership with the 'OWNER' role.
+    """
+    message = "Access denied. You must be the Workspace Owner to perform this action."
+
+    def has_object_permission(self, request, view, obj):
+        if not request.user or not request.user.is_authenticated:
+            return False
+
+        if isinstance(obj, Workspace):
+            workspace = obj
+        elif isinstance(obj, WorkspaceMembership):
+            workspace = obj.workspace
+        elif hasattr(obj, 'workspace'):
+            workspace = obj.workspace
+        else:
+            return False
+
+        if workspace.owner == request.user:
+            return True
+
+        return WorkspaceMembership.objects.filter(
+            workspace=workspace,
+            user=request.user,
+            role=WorkspaceMembership.Role.OWNER,
+            is_active=True
+        ).exists()
+
+
+class IsWorkspaceAdmin(permissions.BasePermission):
+    """
+    Permission check:
+    - User's role in the workspace is either 'ADMIN' or 'OWNER'.
+    """
+    message = "Access denied. You must be a Workspace Admin or Owner to perform this action."
+
+    def has_object_permission(self, request, view, obj):
+        if not request.user or not request.user.is_authenticated:
+            return False
+
+        if isinstance(obj, Workspace):
+            workspace = obj
+        elif isinstance(obj, WorkspaceMembership):
+            workspace = obj.workspace
+        elif hasattr(obj, 'workspace'):
+            workspace = obj.workspace
+        else:
+            return False
+
+        if workspace.owner == request.user:
+            return True
+
+        allowed_roles = [
+            WorkspaceMembership.Role.OWNER,
+            WorkspaceMembership.Role.ADMIN,
+        ]
+
+        return WorkspaceMembership.objects.filter(
+            workspace=workspace,
+            user=request.user,
+            role__in=allowed_roles,
+            is_active=True
+        ).exists()
+
+
+class IsWorkspaceMember(permissions.BasePermission):
+    """
+    Permission check:
+    - User's role in the workspace is 'OWNER', 'ADMIN', or 'MEMBER'.
+    """
+    message = "Access denied. You must be an active member of this workspace."
+
+    def has_object_permission(self, request, view, obj):
+        if not request.user or not request.user.is_authenticated:
+            return False
+
+        if isinstance(obj, Workspace):
+            workspace = obj
+        elif isinstance(obj, WorkspaceMembership):
+            workspace = obj.workspace
+        elif hasattr(obj, 'workspace'):
+            workspace = obj.workspace
+        else:
+            return False
+
+        if workspace.owner == request.user:
+            return True
+
+        allowed_roles = [
+            WorkspaceMembership.Role.OWNER,
+            WorkspaceMembership.Role.ADMIN,
+            WorkspaceMembership.Role.MEMBER,
+        ]
+
+        return WorkspaceMembership.objects.filter(
+            workspace=workspace,
+            user=request.user,
+            role__in=allowed_roles,
+            is_active=True
+        ).exists()