makeplane · sriramveeraghanta · Sep 28, 2023 · Sep 27, 2023 · Sep 28, 2023
diff --git a/apiserver/plane/api/permissions/workspace.py b/apiserver/plane/api/permissions/workspace.py
@@ -58,8 +58,17 @@ def has_permission(self, request, view):
         if request.user.is_anonymous:
             return False
 
+        ## Safe Methods -> Handle the filtering logic in queryset
+        if request.method in SAFE_METHODS:
+            return WorkspaceMember.objects.filter(
+                workspace__slug=view.workspace_slug,
+                member=request.user,
+            ).exists()
+
         return WorkspaceMember.objects.filter(
-            member=request.user, workspace__slug=view.workspace_slug
+            member=request.user,
+            workspace__slug=view.workspace_slug,
+            role__in=[Owner, Admin],
         ).exists()
 
 

diff --git a/apiserver/plane/api/views/issue.py b/apiserver/plane/api/views/issue.py
@@ -24,7 +24,6 @@
 from django.utils.decorators import method_decorator
 from django.views.decorators.gzip import gzip_page
 from django.db import IntegrityError
-from django.conf import settings
 from django.db import IntegrityError
 
 # Third Party imports
@@ -58,7 +57,6 @@
     IssuePublicSerializer,
 )
 from plane.api.permissions import (
-    WorkspaceEntityPermission,
     ProjectEntityPermission,
     WorkSpaceAdminPermission,
     ProjectMemberPermission,

diff --git a/apiserver/plane/api/views/view.py b/apiserver/plane/api/views/view.py
@@ -61,7 +61,7 @@ def get_queryset(self):
             .get_queryset()
             .filter(workspace__slug=self.kwargs.get("slug"))
             .select_related("workspace")
-            .order_by("-created_at")
+            .order_by(self.request.GET.get("order_by", "-created_at"))
             .distinct()
         )