Qlockify/qlockify-backend-deployment
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(permissions): restrict deletes and admin member management

Browse Source
This commit is contained in:
Amirhossein Khalili
2026-04-28 10:02:37 +03:30
parent 02c9c17c30
commit afb1a55570
9 changed files with 157 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
apps/workspaces/services/permissions.py
View File

@@ -166,6 +166,21 @@ def has_project_capability(user, project, capability: str) -> bool:
return is_project_manager and capability in PROJECT_MANAGER_CAPABILITIES
def can_delete_workspace_object(user, obj, capability: str) -> bool:
workspace = getattr(obj, "workspace", None)
if workspace is None:
return False
if not has_workspace_capability(user, workspace, capability):
return False
actor_role = get_workspace_role(user, workspace)
if actor_role == WorkspaceMembership.Role.OWNER:
return True
return getattr(obj, "created_by_id", None) == getattr(user, "id", None)
def can_manage_workspace_members(user, workspace: Workspace) -> bool:
return has_workspace_capability(user, workspace, WORKSPACE_MEMBERS_CHANGE_ROLE)
@@ -175,7 +190,10 @@ def can_assign_workspace_role(user, workspace: Workspace, role: str) -> bool:
if actor_role == WorkspaceMembership.Role.OWNER:
return True
if actor_role == WorkspaceMembership.Role.ADMIN:
return role != WorkspaceMembership.Role.OWNER
return role not in {
WorkspaceMembership.Role.OWNER,
WorkspaceMembership.Role.ADMIN,
}
return False
@@ -193,11 +211,15 @@ def can_change_workspace_membership(user, membership: WorkspaceMembership, *, ne
target_is_canonical_owner = workspace.owner_id == membership.user_id
target_is_owner_role = membership.role == WorkspaceMembership.Role.OWNER
target_is_admin_role = membership.role == WorkspaceMembership.Role.ADMIN
if actor_role == WorkspaceMembership.Role.ADMIN:
if target_is_owner_role or target_is_canonical_owner:
if target_is_owner_role or target_is_admin_role or target_is_canonical_owner:
return False
if new_role == WorkspaceMembership.Role.OWNER:
if new_role in {
WorkspaceMembership.Role.OWNER,
WorkspaceMembership.Role.ADMIN,
}:
return False
return True