from rest_framework import permissions from apps.workspaces.models import Workspace, WorkspaceMembership class IsWorkspaceOwner(permissions.BasePermission): """ Permission check: - User must be the explicit 'owner' on the Workspace model. - OR User must have a WorkspaceMembership with the 'OWNER' role. """ message = "Access denied. You must be the Workspace Owner to perform this action." def has_object_permission(self, request, view, obj): if not request.user or not request.user.is_authenticated: return False if isinstance(obj, Workspace): workspace = obj elif isinstance(obj, WorkspaceMembership): workspace = obj.workspace elif hasattr(obj, 'workspace'): workspace = obj.workspace else: return False if workspace.owner == request.user: return True return WorkspaceMembership.objects.filter( workspace=workspace, user=request.user, role=WorkspaceMembership.Role.OWNER, is_active=True ).exists() class IsWorkspaceAdmin(permissions.BasePermission): """ Permission check: - User's role in the workspace is either 'ADMIN' or 'OWNER'. """ message = "Access denied. You must be a Workspace Admin or Owner to perform this action." def has_object_permission(self, request, view, obj): if not request.user or not request.user.is_authenticated: return False if isinstance(obj, Workspace): workspace = obj elif isinstance(obj, WorkspaceMembership): workspace = obj.workspace elif hasattr(obj, 'workspace'): workspace = obj.workspace else: return False if workspace.owner == request.user: return True allowed_roles = [ WorkspaceMembership.Role.OWNER, WorkspaceMembership.Role.ADMIN, ] return WorkspaceMembership.objects.filter( workspace=workspace, user=request.user, role__in=allowed_roles, is_active=True ).exists() class IsWorkspaceMember(permissions.BasePermission): """ Permission check: - User's role in the workspace is 'OWNER', 'ADMIN', or 'MEMBER'. """ message = "Access denied. You must be an active member of this workspace." def has_object_permission(self, request, view, obj): if not request.user or not request.user.is_authenticated: return False if isinstance(obj, Workspace): workspace = obj elif isinstance(obj, WorkspaceMembership): workspace = obj.workspace elif hasattr(obj, 'workspace'): workspace = obj.workspace else: return False if workspace.owner == request.user: return True allowed_roles = [ WorkspaceMembership.Role.OWNER, WorkspaceMembership.Role.ADMIN, WorkspaceMembership.Role.MEMBER, ] return WorkspaceMembership.objects.filter( workspace=workspace, user=request.user, role__in=allowed_roles, is_active=True ).exists()