Qlockify/qlockify-backend-deployment
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(permissions): restrict deletes and admin member management

Browse Source
This commit is contained in:
Amirhossein Khalili
2026-04-28 10:02:37 +03:30
parent 02c9c17c30
commit afb1a55570
9 changed files with 157 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/clients/api/permissions.py
View File

@@ -6,6 +6,7 @@ from apps.workspaces.services import (
CLIENTS_DELETE,
CLIENTS_EDIT,
CLIENTS_VIEW,
can_delete_workspace_object,
has_workspace_capability,
)
@@ -43,4 +44,6 @@ class IsClientWorkspaceMember(permissions.BasePermission):
"partial_update": CLIENTS_EDIT,
"destroy": CLIENTS_DELETE,
}.get(view.action, CLIENTS_VIEW)
if view.action == "destroy":
return can_delete_workspace_object(request.user, obj, CLIENTS_DELETE)
return has_workspace_capability(request.user, obj.workspace, capability)