From ec2cc3c8f936f8e8dae49f7a07aae5b60690e17d Mon Sep 17 00:00:00 2001
From: NarayanBavisetti <narayan3119@gmail.com>
Date: Wed, 27 Sep 2023 19:57:53 +0530
Subject: [PATCH 1/2] chore: global views order by

---
 apiserver/plane/api/views/view.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apiserver/plane/api/views/view.py b/apiserver/plane/api/views/view.py
index b6f1d7c4b73..435f8725a84 100644
--- a/apiserver/plane/api/views/view.py
+++ b/apiserver/plane/api/views/view.py
@@ -61,7 +61,7 @@ def get_queryset(self):
             .get_queryset()
             .filter(workspace__slug=self.kwargs.get("slug"))
             .select_related("workspace")
-            .order_by("-created_at")
+            .order_by(self.request.GET.get("order_by", "-created_at"))
             .distinct()
         )
 

From 3e0f6a5e45629d06ecb5bb4a1431b12e97634bcd Mon Sep 17 00:00:00 2001
From: pablohashescobar <nikhilschacko@gmail.com>
Date: Thu, 28 Sep 2023 11:30:13 +0530
Subject: [PATCH 2/2] chore: update permissions for global views

---
 apiserver/plane/api/permissions/workspace.py | 11 ++++++++++-
 apiserver/plane/api/views/issue.py           |  2 --
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/apiserver/plane/api/permissions/workspace.py b/apiserver/plane/api/permissions/workspace.py
index d01b545ee18..66e8366146c 100644
--- a/apiserver/plane/api/permissions/workspace.py
+++ b/apiserver/plane/api/permissions/workspace.py
@@ -58,8 +58,17 @@ def has_permission(self, request, view):
         if request.user.is_anonymous:
             return False
 
+        ## Safe Methods -> Handle the filtering logic in queryset
+        if request.method in SAFE_METHODS:
+            return WorkspaceMember.objects.filter(
+                workspace__slug=view.workspace_slug,
+                member=request.user,
+            ).exists()
+
         return WorkspaceMember.objects.filter(
-            member=request.user, workspace__slug=view.workspace_slug
+            member=request.user,
+            workspace__slug=view.workspace_slug,
+            role__in=[Owner, Admin],
         ).exists()
 
 
diff --git a/apiserver/plane/api/views/issue.py b/apiserver/plane/api/views/issue.py
index 8440954346f..29f14e437f3 100644
--- a/apiserver/plane/api/views/issue.py
+++ b/apiserver/plane/api/views/issue.py
@@ -24,7 +24,6 @@
 from django.utils.decorators import method_decorator
 from django.views.decorators.gzip import gzip_page
 from django.db import IntegrityError
-from django.conf import settings
 from django.db import IntegrityError
 
 # Third Party imports
@@ -58,7 +57,6 @@
     IssuePublicSerializer,
 )
 from plane.api.permissions import (
-    WorkspaceEntityPermission,
     ProjectEntityPermission,
     WorkSpaceAdminPermission,
     ProjectMemberPermission,