feat(permissions): centralize workspace role capability checks

apps/time_entries/services/time_entries.py

@@ -2,24 +2,23 @@
 from django.utils import timezone
 from rest_framework.exceptions import ValidationError, PermissionDenied
 
-from apps.time_entries.models import TimeEntry
-from apps.time_entries.services.rates import resolve_rate
-from apps.workspaces.models import WorkspaceMembership
-
-
-def _verify_workspace_access(user, workspace_id):
-    """
-    Ensures the user is an active member of the specified workspace.
-    """
-    has_access = WorkspaceMembership.objects.filter(
-        workspace_id=workspace_id,
-        user=user,
-        is_active=True,
-        is_deleted=False
-    ).exists()
-    
-    if not has_access:
-        raise PermissionDenied("You do not have access to this workspace.")
+from apps.time_entries.models import TimeEntry
+from apps.time_entries.services.rates import resolve_rate
+from apps.workspaces.models import Workspace
+from apps.workspaces.services import TIME_ENTRIES_MANAGE_OWN, has_workspace_capability
+
+
+def _verify_workspace_access(user, workspace_id):
+    """
+    Ensures the user is an active member of the specified workspace.
+    """
+    workspace = Workspace.objects.filter(id=workspace_id, is_deleted=False).first()
+    if not workspace or not has_workspace_capability(
+        user,
+        workspace,
+        TIME_ENTRIES_MANAGE_OWN,
+    ):
+        raise PermissionDenied("You do not have access to this workspace.")
 
 
 def create_time_entry(user, workspace_id, start_time, end_time=None, project=None, tags=None, description="", is_billable=False):