fix(permissions): restrict deletes and admin member management

2026-04-28 10:02:37 +03:30
parent 02c9c17c30
commit afb1a55570
9 changed files with 157 additions and 37 deletions
--- a/apps/clients/api/permissions.py
+++ b/apps/clients/api/permissions.py
@@ -6,6 +6,7 @@ from apps.workspaces.services import (
    CLIENTS_DELETE,
    CLIENTS_EDIT,
    CLIENTS_VIEW,
+    can_delete_workspace_object,
    has_workspace_capability,
 )

@@ -43,4 +44,6 @@ class IsClientWorkspaceMember(permissions.BasePermission):
            "partial_update": CLIENTS_EDIT,
            "destroy": CLIENTS_DELETE,
        }.get(view.action, CLIENTS_VIEW)
+        if view.action == "destroy":
+            return can_delete_workspace_object(request.user, obj, CLIENTS_DELETE)
        return has_workspace_capability(request.user, obj.workspace, capability)
--- a/apps/clients/services/clients.py
+++ b/apps/clients/services/clients.py
@@ -19,11 +19,13 @@ def create_client(user, workspace_id, name, notes=""):
    if Client.objects.filter(workspace_id=workspace_id, name=name, is_deleted=False).exists():
        raise ValidationError({"name": "مشتری با این نام در این فضای کاری وجود دارد."})

-    return Client.objects.create(
-        workspace_id=workspace_id,
-        name=name,
-        notes=notes
-    )
+    return Client.objects.create(
+        workspace_id=workspace_id,
+        name=name,
+        notes=notes,
+        created_by=user,
+        updated_by=user,
+    )


 def update_client(client, name=None, notes=None):