fix(permissions): restrict deletes and admin member management

2026-04-28 10:02:37 +03:30
parent 02c9c17c30
commit afb1a55570
9 changed files with 157 additions and 37 deletions
--- a/apps/projects/api/views.py
+++ b/apps/projects/api/views.py
@@ -37,10 +37,12 @@ from apps.projects.services.memberships import add_project_member, update_projec
 from apps.workspaces.services import (
    PROJECTS_ARCHIVE,
    PROJECTS_CREATE,
+    PROJECTS_DELETE,
    PROJECTS_EDIT,
    PROJECT_MEMBERS_ADD,
    PROJECT_MEMBERS_CHANGE_ROLE,
    PROJECT_MEMBERS_REMOVE,
+    can_delete_workspace_object,
    has_project_capability,
    has_workspace_capability,
 )
@@ -78,14 +80,14 @@ class ProjectViewSet(ModelViewSet):
        """
        Returns active projects where the current user is an active member.
        """
-        if getattr(self, "swagger_fake_view", False) or not self.request.user.is_authenticated:
-            return Project.objects.none()
-
-        return Project.objects.filter(
-            memberships__user=self.request.user,
-            memberships__is_active=True,
-            is_deleted=False
-        ).distinct()
+        if getattr(self, "swagger_fake_view", False) or not self.request.user.is_authenticated:
+            return Project.objects.none()
+
+        return Project.objects.filter(
+            workspace__memberships__user=self.request.user,
+            workspace__memberships__is_active=True,
+            is_deleted=False
+        ).distinct()

    def get_serializer_class(self):
        """
@@ -216,14 +218,19 @@ class ProjectViewSet(ModelViewSet):
        output_serializer = ProjectSerializer(updated_project)
        return Response(output_serializer.data, status=status.HTTP_200_OK)

-    def destroy(self, request, *args, **kwargs):
-        """
-        Soft deletes a project.
-        """
-        project = self.get_object()
-        project.is_deleted = True
-        project.save(update_fields=["is_deleted", "updated_at"])
-        return Response(status=status.HTTP_204_NO_CONTENT)
+    def destroy(self, request, *args, **kwargs):
+        """
+        Soft deletes a project.
+        """
+        project = self.get_object()
+        if not can_delete_workspace_object(request.user, project, PROJECTS_DELETE):
+            return Response(
+                {"detail": "You do not have permission to delete this project."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        project.is_deleted = True
+        project.save(update_fields=["is_deleted", "updated_at"])
+        return Response(status=status.HTTP_204_NO_CONTENT)

    @action(detail=True, methods=["post"])
    def archive(self, request, pk=None):