Skip to content

[WEB-2126] chore: guest and viewer role permission#5347

Merged
pushya22 merged 35 commits intopreviewfrom
fix-user-role-permission
Aug 16, 2024
Merged

[WEB-2126] chore: guest and viewer role permission#5347
pushya22 merged 35 commits intopreviewfrom
fix-user-role-permission

Conversation

@anmolsinghbhatia
Copy link
Collaborator

@anmolsinghbhatia anmolsinghbhatia commented Aug 10, 2024
edited by coderabbitai bot
Loading

Changes:

This PR includes following changes:

  • Updated Viewer & Guest permissions at both workspace and project levels (see WEB-1506 for details).
  • Refactored the user store and introduced computed functions to reduce code repetition.
  • Added an unauthorized screen for workspace and project settings.

Reference:

[WEB-1506] [WEB-2126]

Summary by CodeRabbit

  • New Features

    • Introduced a new permission management system that utilizes role-based access control to enhance security and user access across various components.

  • Improvements

    • Improved authorization checks in multiple components to ensure appropriate access levels based on user roles.
    • Updated permission handling for various endpoints, allowing for more granular control over access rights.

  • Bug Fixes

    • Resolved inconsistencies in access permissions for project and workspace settings, ensuring users see appropriate options based on their roles.

@anmolsinghbhatia anmolsinghbhatia added this to the v0.23-dev milestone Aug 10, 2024
@anmolsinghbhatia anmolsinghbhatia self-assigned this Aug 10, 2024
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 10, 2024
edited
Loading

Walkthrough

The recent changes enhance permission management across various components using the new @allow_permission decorator. This refactoring allows for more granular control of access based on user roles, simplifying existing permission logic. The updates affect backend views and frontend components, ensuring a consistent and secure approach to permissions throughout the application, ultimately improving the user experience when interacting with workspaces and projects.

Changes

Files Change Summary
apiserver/plane/app/permissions/__init__.py, apiserver/plane/app/permissions/base.py Introduced allow_permission decorator for enhanced permission management using role-based access.
apiserver/plane/app/views/cycle/..., apiserver/plane/app/views/inbox/base.py, apiserver/plane/app/views/issue/... Replaced static permission classes with the @allow_permission decorator in multiple endpoint classes, enhancing access control.
web/... Enhanced frontend authorization logic and state management in various components for improved user experience.
web/core/... Updated access levels and user store interfaces for improved role and permission management.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Frontend
    participant Backend

    User->>Frontend: Request Access
    Frontend->>Backend: Validate User Role
    Backend-->>Frontend: Role Validated
    Frontend-->>User: Grant Access
Loading

🐇
In the garden where permissions bloom,
A rabbit hops to chase away the gloom.
With roles now clear and access bright,
Every user can find delight.
Hopping through the fields of code,
A safer path for all to trode! 🌼

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share
Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai generate interesting stats about this repository and render them as a table.
    • @coderabbitai show all the console.log statements in this repository.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@anmolsinghbhatia
chore: general unauthorized screen asset added
e1471fe
@anmolsinghbhatia
chore: workspace setting sidebar options updated for guest and viewer
aa73ed1
@anmolsinghbhatia
chore: NotAuthorizedView component code updated
1089c2f
@anmolsinghbhatia
chore: project setting layout code refactor
acac14c
@anmolsinghbhatia
chore: workspace setting members and exports page permission validati…
0ff7f12 
…on added
@anmolsinghbhatia
chore: workspace members and exports settings page improvement
b50ebd3
@anmolsinghbhatia
chore: project invite modal updated
8ae4c7c
@anmolsinghbhatia
chore: workspace setting unauthorized access empty state
d2cf355
@anmolsinghbhatia
chore: workspace setting unauthorized access empty state
fa51873
@anmolsinghbhatia
chore: project settings sidebar permission updated
f0906ae
@anmolsinghbhatia
fix: project settings user role permission updated
8818beb
@anmolsinghbhatia
chore: app sidebar role permission validation updated
af31302
@anmolsinghbhatia
chore: app sidebar role permission validation
32e9eb5
@anmolsinghbhatia anmolsinghbhatia changed the title [WEB-2126] chore: user store code refactor [WEB-2126] chore: guest and viewer role permission Aug 12, 2024
@anmolsinghbhatia anmolsinghbhatia marked this pull request as ready for review August 14, 2024 09:46
coderabbitai[bot]
coderabbitai bot reviewed Aug 14, 2024
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

Outside diff range, codebase verification and nitpick comments (6)
apiserver/plane/app/views/workspace/label.py (1)

16-16: Remove trailing whitespace.

There is a trailing whitespace on this line. Clean up the whitespace to maintain code quality.

-    
+
Tools
GitHub Check: Codacy Static Code Analysis

[notice] 16-16: apiserver/plane/app/views/workspace/label.py#L16
Trailing whitespace

apiserver/plane/app/urls/inbox.py (1)

URL Parameter Change: Ensure Consistency Across Codebase and Documentation

The change from <uuid:issue_id> to <uuid:pk> in the URL pattern may impact API clients. The search results show that <uuid:issue_id> is still used in other parts of the codebase. Ensure that all instances are consistently updated and that relevant documentation and client integrations reflect this change.

  • Check for consistency in URL patterns across the codebase.
  • Update documentation and client integrations to use <uuid:pk> where applicable.
Analysis chain

Line range hint 43-53:
URL Parameter Change: Update API Clients and Documentation.

The change from <uuid:issue_id> to <uuid:pk> may impact existing API clients. Ensure that all relevant documentation and client integrations are updated to reflect this change.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that documentation and client integrations are updated for the URL parameter change.

# Test: Search for references to the old and new URL patterns in documentation and client code.
rg '<uuid:issue_id>|<uuid:pk>' -A 5

Length of output: 35698

web/core/components/auth-screens/not-authorized-view.tsx (1)

8-8: Remove unused import if applicable.

The Unauthorized image is imported but not used in the component. If it is unnecessary, consider removing it to keep the code clean.

- import Unauthorized from "@/public/auth/unauthorized.svg";
web/app/[workspaceSlug]/(projects)/settings/exports/page.tsx (1)

33-36: Improve visual feedback for permission levels.

The opacity change based on canPerformWorkspaceMemberActions provides visual feedback about permissions. Consider additional visual cues or tooltips for better user understanding.

<div
  className={cn("w-full overflow-y-auto md:pr-9 pr-4", {
    "opacity-60": !canPerformWorkspaceMemberActions,
  })}
  title={!canPerformWorkspaceMemberActions ? "Limited Access" : ""}
>
web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/estimates/page.tsx (1)

32-39: Improve user feedback for admin permissions.

The use of pointer-events-none and opacity-60 provides visual cues for permissions. Consider additional feedback mechanisms for clarity.

<div
  className={`w-full overflow-y-auto py-8 pr-9 ${canPerformProjectAdminActions ? "" : "pointer-events-none opacity-60"}`}
  title={!canPerformProjectAdminActions ? "Admin Access Required" : ""}
>
apiserver/plane/app/views/search/issue.py (1)

76-76: Remove trailing whitespace.

There's a trailing whitespace on this line that should be removed to maintain code cleanliness.

-        
+
Tools
GitHub Check: Codacy Static Code Analysis

[notice] 76-76: apiserver/plane/app/views/search/issue.py#L76
Trailing whitespace

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 269e6cc and 3151bce.

Files ignored due to path filters (1)
  • web/public/auth/unauthorized.svg is excluded by !**/*.svg
Files selected for processing (61)
  • apiserver/plane/app/permissions/init.py (1 hunks)
  • apiserver/plane/app/permissions/base.py (1 hunks)
  • apiserver/plane/app/urls/inbox.py (1 hunks)
  • apiserver/plane/app/views/analytic/base.py (5 hunks)
  • apiserver/plane/app/views/cycle/archive.py (5 hunks)
  • apiserver/plane/app/views/cycle/base.py (13 hunks)
  • apiserver/plane/app/views/cycle/issue.py (7 hunks)
  • apiserver/plane/app/views/dashboard/base.py (6 hunks)
  • apiserver/plane/app/views/estimate/base.py (5 hunks)
  • apiserver/plane/app/views/exporter/base.py (3 hunks)
  • apiserver/plane/app/views/external/base.py (3 hunks)
  • apiserver/plane/app/views/inbox/base.py (14 hunks)
  • apiserver/plane/app/views/issue/activity.py (2 hunks)
  • apiserver/plane/app/views/issue/archive.py (6 hunks)
  • apiserver/plane/app/views/issue/attachment.py (3 hunks)
  • apiserver/plane/app/views/issue/base.py (12 hunks)
  • apiserver/plane/app/views/issue/comment.py (5 hunks)
  • apiserver/plane/app/views/issue/label.py (4 hunks)
  • apiserver/plane/app/views/module/base.py (9 hunks)
  • apiserver/plane/app/views/module/issue.py (6 hunks)
  • apiserver/plane/app/views/notification/base.py (11 hunks)
  • apiserver/plane/app/views/page/base.py (17 hunks)
  • apiserver/plane/app/views/project/base.py (11 hunks)
  • apiserver/plane/app/views/project/member.py (8 hunks)
  • apiserver/plane/app/views/search/issue.py (2 hunks)
  • apiserver/plane/app/views/view/base.py (13 hunks)
  • apiserver/plane/app/views/webhook/base.py (5 hunks)
  • apiserver/plane/app/views/workspace/favorite.py (5 hunks)
  • apiserver/plane/app/views/workspace/label.py (1 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/pages/(list)/page.tsx (3 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/automations/page.tsx (3 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/estimates/page.tsx (1 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/features/page.tsx (1 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/header.tsx (2 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/labels/page.tsx (2 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/layout.tsx (3 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/members/page.tsx (1 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/sidebar.tsx (3 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/states/page.tsx (1 hunks)
  • web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/views/(list)/header.tsx (3 hunks)
  • web/app/[workspaceSlug]/(projects)/settings/api-tokens/page.tsx (3 hunks)
  • web/app/[workspaceSlug]/(projects)/settings/billing/page.tsx (2 hunks)
  • web/app/[workspaceSlug]/(projects)/settings/exports/page.tsx (2 hunks)
  • web/app/[workspaceSlug]/(projects)/settings/members/page.tsx (5 hunks)
  • web/app/[workspaceSlug]/(projects)/settings/webhooks/page.tsx (4 hunks)
  • web/app/[workspaceSlug]/(projects)/sidebar.tsx (3 hunks)
  • web/app/[workspaceSlug]/(projects)/workspace-views/header.tsx (4 hunks)
  • web/ce/constants/workspace.ts (2 hunks)
  • web/core/components/auth-screens/not-authorized-view.tsx (1 hunks)
  • web/core/components/command-palette/command-palette.tsx (3 hunks)
  • web/core/components/pages/list/block-item-action.tsx (3 hunks)
  • web/core/components/project/send-project-invitation-modal.tsx (5 hunks)
  • web/core/components/project/settings/member-columns.tsx (3 hunks)
  • web/core/components/workspace/sidebar/projects-list-item.tsx (6 hunks)
  • web/core/components/workspace/sidebar/projects-list.tsx (1 hunks)
  • web/core/constants/dashboard.ts (2 hunks)
  • web/core/constants/empty-state.ts (1 hunks)
  • web/core/constants/project.ts (1 hunks)
  • web/core/hooks/use-favorite-item-details.tsx (1 hunks)
  • web/core/layouts/auth-layout/workspace-wrapper.tsx (2 hunks)
  • web/core/store/user/index.ts (3 hunks)
Files skipped from review due to trivial changes (1)
  • web/core/components/workspace/sidebar/projects-list.tsx
Additional context used
Ruff
apiserver/plane/app/permissions/__init__.py

15-15: .base.allow_permission imported but unused; consider removing, adding to __all__, or using a redundant alias

(F401)

GitHub Check: Codacy Static Code Analysis
apiserver/plane/app/permissions/__init__.py

[notice] 15-15: apiserver/plane/app/permissions/init.py#L15
'.base.allow_permission' imported but unused (F401)

apiserver/plane/app/views/workspace/label.py

[notice] 16-16: apiserver/plane/app/views/workspace/label.py#L16
Trailing whitespace

apiserver/plane/app/views/search/issue.py

[notice] 76-76: apiserver/plane/app/views/search/issue.py#L76
Trailing whitespace

Biome
web/core/components/workspace/sidebar/projects-list-item.tsx

[error] 502-528: Missing key property for this element in iterable.

The order of the items may change, and having a key can help React identify which item was moved.
Check the React documentation.

(lint/correctness/useJsxKeyInIterable)

Additional comments not posted (209)
web/app/[workspaceSlug]/(projects)/settings/billing/page.tsx (1)

5-5: LGTM! Authorization logic improvements.

The changes enhance the authorization logic by using canPerformWorkspaceAdminActions and rendering a dedicated NotAuthorizedView. This improves flexibility and user experience.

Also applies to: 15-24

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/layout.tsx (1)

Line range hint 14-31:
Potential Security Concern: Verify Access Control.

The removal of the MobX observer and conditional checks for user roles might lead to unauthorized access to project settings. Ensure that access control is handled elsewhere in the application to prevent security vulnerabilities.

Verification successful

Access Control is Managed Elsewhere in the Application

The removal of the MobX observer from the ProjectSettingLayout component does not lead to unauthorized access issues, as access control is handled through role and permission checks in other parts of the codebase. These checks ensure that only users with the appropriate roles can access or modify project settings.

  • Access control logic is present in various components and services, managing user roles and permissions effectively.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that access control for project settings is handled elsewhere in the application.

# Test: Check for access control logic related to project settings.
rg --type js --type ts 'ProjectSettingLayout' -A 10

Length of output: 2061

Script:

#!/bin/bash
# Description: Search for access control logic related to project settings in the application.

# Test: Look for role-based access control or permission checks in the codebase.
rg --type js --type ts 'role' -A 5 -B 5
rg --type js --type ts 'permission' -A 5 -B 5

Length of output: 148866

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/members/page.tsx (1)

5-23: Authorization Checks Added: Looks Good!

The addition of user role validation and authorization checks enhances security by preventing unauthorized access to the members' settings page. The use of NotAuthorizedView effectively communicates access restrictions to users.

Ensure that these changes integrate well with other parts of the application.

Verification successful

Authorization Checks Are Well Integrated Across the Codebase

The use of useUser and NotAuthorizedView is consistent and widespread, indicating that role-based access control is a well-established pattern. The changes in the MembersSettingsPage align well with existing practices.

  • No issues found with the integration of authorization checks.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify integration with other components that may rely on user role validation.

# Test: Check for usage of `useUser` and `NotAuthorizedView` in related components.
rg --type js --type ts 'useUser|NotAuthorizedView' -A 10

Length of output: 383023

web/core/components/auth-screens/not-authorized-view.tsx (2)

18-22: LGTM! Simplified rendering logic.

The refactored logic for determining the image asset is concise and improves maintainability. The use of section and isProjectView props enhances flexibility.

13-14: Props update: Ensure consistency across the application.

The props section and isProjectView replace the old type prop. Verify that all instances of NotAuthorizedView in the codebase are updated to use these new props.

Verification successful

Props update verified: Instances of NotAuthorizedView use new props.

The codebase consistently uses the new section and isProjectView props for the NotAuthorizedView component. No instances of the old type prop were found.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of the updated props in NotAuthorizedView across the codebase.

# Test: Search for NotAuthorizedView usage. Expect: Only occurrences with new props.
rg --type tsx -A 5 $'<NotAuthorizedView'

Length of output: 69

Script:

#!/bin/bash
# Find all .tsx files and search for the usage of NotAuthorizedView with new props.
fd --extension tsx --exec rg '<NotAuthorizedView' -A 5

Length of output: 1396

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/states/page.tsx (3)

23-25: LGTM! Conditional rendering enhances security.

The conditional rendering of NotAuthorizedView based on user permissions is correctly implemented, enhancing security and user experience.

6-6: Ensure correct import path for NotAuthorizedView.

The import path for NotAuthorizedView should be verified to ensure it points to the correct component location.

Verification successful

Import Path Verified for NotAuthorizedView

The import path for NotAuthorizedView is correct and points to the existing component location in the codebase.

  • The component is located at ./web/core/components/auth-screens/not-authorized-view.tsx.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the import path for NotAuthorizedView.

# Test: Check if the NotAuthorizedView component exists at the specified path.
fd 'not-authorized-view.tsx' --exec echo 'Found: {}'

Length of output: 118

16-19: Verify user role and permissions logic.

The logic for extracting canPerformProjectMemberActions and currentProjectRole should be verified to ensure it correctly reflects the user's permissions.

Verification successful

User Role and Permissions Logic Verified

The useUser hook retrieves user-related information, including canPerformProjectMemberActions and currentProjectRole, from the user store context. The logic for these properties is defined as follows:

  • currentProjectRole: This is derived from the user's membership information and is computed based on the project ID.
  • canPerformProjectMemberActions: This is a computed property that checks if the currentProjectRole is at least EUserProjectRoles.MEMBER.

The logic correctly reflects the user's permissions by ensuring that actions are only allowed if the user has the appropriate role. No issues were found in the implementation.

  • Relevant files:
    • web/core/store/user/index.ts
    • web/core/store/user/user-membership.store.ts
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation of useUser hook for role and permissions.

# Test: Search for the useUser hook implementation. Expect: Correct extraction of permissions and role.
ast-grep --lang typescript --pattern $'const useUser = () => { $$$ }'

Length of output: 70

Script:

#!/bin/bash
# Description: Search for the useUser function across the codebase to locate its definition or import statement.

# Search for useUser function or import statement
rg 'useUser' -A 5

Length of output: 207299

Script:

#!/bin/bash
# Description: Search for the context or store definition related to useUser to understand how permissions and roles are set.

# Search for the StoreContext definition and its usage related to user roles and permissions
rg 'StoreContext' -A 10

# Search for canPerformProjectMemberActions and currentProjectRole in the context or store
rg 'canPerformProjectMemberActions|currentProjectRole' -A 5

Length of output: 155926

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/features/page.tsx (4)

6-6: Ensure correct import path for NotAuthorizedView.

The import path for NotAuthorizedView should be verified to ensure it points to the correct component location.

16-17: Verify user role and permissions logic.

The logic for extracting canPerformProjectAdminActions and currentProjectRole should be verified to ensure it correctly reflects the user's permissions.

25-27: LGTM! Conditional rendering enhances security.

The conditional rendering of NotAuthorizedView based on user permissions is correctly implemented, enhancing security and user experience.

32-36: Ensure correct usage of isAdmin prop.

The isAdmin prop is now directly tied to canPerformProjectAdminActions. Ensure that this change is consistent with the intended logic throughout the application.

web/app/[workspaceSlug]/(projects)/settings/exports/page.tsx (3)

25-28: Enhance unauthorized access handling.

The conditional rendering of NotAuthorizedView provides a clear message for unauthorized access. Ensure this logic aligns with the application's security requirements.

5-5: Ensure the NotAuthorizedView component handles all necessary cases.

The addition of the NotAuthorizedView component improves user feedback. Verify that it covers all scenarios for unauthorized access.

16-17: Verify hooks for role-based actions.

The introduction of canPerformWorkspaceViewerActions and canPerformWorkspaceMemberActions hooks enhances role checks. Ensure these hooks are correctly implemented and used.

Verification successful

Hooks for Role-Based Actions Verified

The hooks canPerformWorkspaceViewerActions and canPerformWorkspaceMemberActions are implemented and used across multiple files, indicating they are part of a user role management system. Their usage in conditional checks and UI components confirms their role-based functionality.

  • Files Involved:
    • web/app/[workspaceSlug]/(projects)/settings/exports/page.tsx
    • web/core/store/user/index.ts
    • web/app/[workspaceSlug]/(projects)/settings/members/page.tsx
    • web/core/components/command-palette/command-palette.tsx
    • web/core/layouts/auth-layout/workspace-wrapper.tsx
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation and usage of role-based action hooks.

# Test: Search for the implementation of `canPerformWorkspaceViewerActions` and `canPerformWorkspaceMemberActions`. Expect: Correct implementation and usage.
rg --type tsx $'function canPerformWorkspaceViewerActions'
rg --type tsx $'function canPerformWorkspaceMemberActions'

Length of output: 175

Script:

#!/bin/bash
# Description: Verify the implementation and usage of role-based action hooks.

# Test: Search for the implementation of `canPerformWorkspaceViewerActions` and `canPerformWorkspaceMemberActions`. Expect: Correct implementation and usage.
rg --type ts 'function canPerformWorkspaceViewerActions'
rg --type ts 'function canPerformWorkspaceMemberActions'

Length of output: 117

Script:

#!/bin/bash
# Description: Verify the usage of role-based action hooks by searching for their identifiers.

# Test: Search for the identifiers `canPerformWorkspaceViewerActions` and `canPerformWorkspaceMemberActions` in TypeScript files.
rg --type ts 'canPerformWorkspaceViewerActions'
rg --type ts 'canPerformWorkspaceMemberActions'

Length of output: 2467

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/estimates/page.tsx (3)

6-6: Ensure comprehensive handling in NotAuthorizedView.

The use of NotAuthorizedView for unauthorized access is a good addition. Verify its implementation covers all necessary scenarios.

25-27: Enhance unauthorized access handling.

The conditional rendering of NotAuthorizedView for project settings is well-implemented. Ensure this aligns with project security policies.

15-15: Verify the new derived value for admin actions.

The introduction of canPerformProjectAdminActions improves permission checks. Ensure this value is correctly derived and used throughout the application.

Verification successful

The derived value canPerformProjectAdminActions is correctly implemented and used.

The canPerformProjectAdminActions is defined and utilized across various components and pages for permission checks. Its usage in logical conditions and as a prop indicates it is effectively integrated for managing admin actions.

  • Definition: web/core/store/user/index.ts
  • Usage: Found in components like delete-issue-modal.tsx, command-palette.tsx, and several settings pages.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation and usage of `canPerformProjectAdminActions`.

# Test: Search for the implementation of `canPerformProjectAdminActions`. Expect: Correct implementation and usage.
rg --type tsx $'function canPerformProjectAdminActions'

Length of output: 84

Script:

#!/bin/bash
# Search for the implementation of `canPerformProjectAdminActions` in TypeScript files.
rg 'canPerformProjectAdminActions' --type ts

Length of output: 2674

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/labels/page.tsx (3)

8-8: Ensure comprehensive handling in NotAuthorizedView.

The addition of NotAuthorizedView enhances unauthorized access handling. Verify its implementation covers all necessary scenarios.

12-12: Verify hooks for role-based actions.

The use of useUser and useProject hooks for role checks is crucial. Ensure these hooks are correctly implemented and used.

38-40: Enhance unauthorized access handling.

The conditional rendering of NotAuthorizedView for label settings is effective. Ensure this logic aligns with project security requirements.

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/automations/page.tsx (4)

10-10: Introduce NotAuthorizedView for better UX.

The addition of NotAuthorizedView improves the user experience by providing immediate feedback when users lack the necessary permissions.

21-21: Use canPerformProjectAdminActions for permission checks.

Introducing canPerformProjectAdminActions clarifies the permission logic and helps maintain clean and understandable code.

41-42: Conditional rendering for unauthorized access.

The conditional rendering of NotAuthorizedView effectively prevents unauthorized users from accessing the settings page.

48-48: Opacity control based on permissions.

Using canPerformProjectAdminActions to control section opacity provides a subtle yet effective visual cue about user permissions.

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/pages/(list)/page.tsx (4)

9-9: Introduce EmptyState for restricted access.

Adding the EmptyState component provides a clear and user-friendly message when access to the project page is disabled.

12-12: Use EmptyStateType for consistent messaging.

Using EmptyStateType.DISABLED_PROJECT_PAGE ensures consistent messaging across the application when access is restricted.

22-22: Access currentProjectDetails for enhanced state management.

The inclusion of currentProjectDetails from the useProject hook allows for more robust state management and conditional rendering based on project details.

37-45: Conditional rendering based on page_view.

The conditional check for currentProjectDetails?.page_view effectively manages access control and provides appropriate feedback to users.

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/sidebar.tsx (2)

4-4: Wrap component with observer for reactivity.

Wrapping ProjectSettingsSidebar with observer allows it to reactively update in response to changes in MobX observable state, enhancing its responsiveness.

16-16: Enhance component interactivity with MobX.

The use of observer integrates MobX's state management capabilities, making the ProjectSettingsSidebar more dynamic and interactive.

apiserver/plane/app/permissions/base.py (3)

7-12: Clarify role values mapping.

The ROLE_VALUES dictionary provides a clear mapping of roles to numeric values, which is crucial for permission checks. Ensure that these values align with the rest of the system's role hierarchy.

15-16: Ensure role values are comprehensive.

The get_role_values function retrieves numeric values for roles. Make sure all roles used throughout the application are covered in ROLE_VALUES.

Verification successful

Role Values Are Comprehensive

The roles defined in ROLE_VALUES ("ADMIN", "MEMBER", "VIEWER", "GUEST") are used consistently throughout the application. No additional roles were found that are not covered by ROLE_VALUES.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify all roles used in the application are covered in ROLE_VALUES.

# Test: Search for role usage across the codebase. Expect: All roles have corresponding entries in ROLE_VALUES.
rg --type python 'role' | grep -i 'role' | grep -v 'ROLE_VALUES'

Length of output: 91

Script:

#!/bin/bash
# Find the definition of ROLE_VALUES and list its entries
rg --type py 'ROLE_VALUES' -A 5

# Search for all instances of role usage in Python files
rg --type py 'role' | grep -i 'role'

Length of output: 21723

19-59: Review permission logic in allow_permission.

The allow_permission decorator effectively checks user roles and creator status. Ensure that:

  • The logic for checking workspace and project permissions is correct.
  • The model parameter is used securely to prevent unauthorized access.
  • The decorator is applied consistently across views requiring permission checks.
Verification successful

Consistent Application of allow_permission Decorator Verified

The allow_permission decorator is applied consistently across various views in the codebase. The search results show its usage in multiple files and functions, indicating that permission checks are implemented where necessary. This supports the review comment's concern about ensuring consistent application.

  • Files with allow_permission usage:
    • apiserver/plane/app/views/exporter/base.py
    • apiserver/plane/app/views/inbox/base.py
    • apiserver/plane/app/views/workspace/favorite.py
    • apiserver/plane/app/views/notification/base.py
    • apiserver/plane/app/views/module/issue.py
    • apiserver/plane/app/views/webhook/base.py
    • apiserver/plane/app/views/view/base.py
    • apiserver/plane/app/views/project/base.py
    • apiserver/plane/app/views/project/member.py
    • apiserver/plane/app/views/estimate/base.py
    • apiserver/plane/app/views/external/base.py
    • apiserver/plane/app/views/issue/archive.py
    • apiserver/plane/app/views/issue/comment.py
    • apiserver/plane/app/views/issue/label.py
    • apiserver/plane/app/views/issue/attachment.py
    • apiserver/plane/app/views/issue/activity.py
    • apiserver/plane/app/views/module/base.py
    • apiserver/plane/app/views/cycle/issue.py
    • apiserver/plane/app/views/cycle/base.py
    • apiserver/plane/app/views/cycle/archive.py
    • apiserver/plane/app/views/issue/base.py

This indicates that the decorator is widely used to enforce permission checks.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the consistent application of `allow_permission` decorator across views.

# Test: Search for views using `allow_permission`. Expect: All relevant views have the decorator applied.
rg --type python '@allow_permission'

Length of output: 67

Script:

#!/bin/bash
# Description: Verify the consistent application of `allow_permission` decorator across views.

# Test: Search for views using `allow_permission`. Expect: All relevant views have the decorator applied.
rg '@allow_permission' --glob '*.py' -A 5

Length of output: 62242

web/core/hooks/use-favorite-item-details.tsx (2)

9-12: Use optional chaining for safety.

Optional chaining (?.) is used to safely access properties of favorite. This prevents runtime errors if favorite or its nested properties are undefined.

9-12: Update function signature to reflect optional parameter.

The function signature should reflect that favorite can be optional by using favorite?: IFavorite. This aligns with the use of optional chaining.

web/ce/constants/workspace.ts (2)

20-20: Verify role update for "Members" section.

The access level for the "Members" section has been changed to VIEWER. Ensure this change aligns with the overall permission strategy and does not expose sensitive member information.

Verification successful

No sensitive data exposure found in "Members" section.

The change in access level to VIEWER for the "Members" section does not expose any sensitive data. This update aligns with the permission strategy without compromising data security.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implications of changing access level for "Members" to VIEWER.

# Test: Check for any sensitive data exposure in the "Members" section. Expect: No sensitive data is exposed.
rg --type tsx 'members' | grep -i 'sensitive'

Length of output: 71

Script:

#!/bin/bash
# Description: Verify the implications of changing access level for "Members" to VIEWER.

# Test: Check for any sensitive data exposure in the "Members" section. Expect: No sensitive data is exposed.
rg --type ts 'members' | grep -i 'sensitive'
rg --type jsx 'members' | grep -i 'sensitive'

Length of output: 114

Script:

#!/bin/bash
# Description: Verify the implications of changing access level for "Members" to VIEWER.

# Test: Check for any sensitive data exposure in the "Members" section. Expect: No sensitive data is exposed.
rg --type ts 'members' | grep -i 'sensitive'
rg --type js 'members' | grep -i 'sensitive'

Length of output: 85

36-36: Verify role update for "Exports" section.

The access level for the "Exports" section has been changed to VIEWER. Ensure this change is intended and does not allow unauthorized data export.

web/app/[workspaceSlug]/(projects)/sidebar.tsx (3)

16-16: Import the useUser hook.

The useUser hook has been imported to manage user permissions in the sidebar. Ensure that this hook is correctly implemented and provides the necessary user data.

26-26: Use of canPerformWorkspaceMemberActions.

The canPerformWorkspaceMemberActions function is extracted from the useUser hook to conditionally render components. This improves the sidebar's responsiveness to user permissions.

89-89: Conditional rendering of SidebarFavoritesMenu.

The SidebarFavoritesMenu is now conditionally rendered based on the canPerformWorkspaceMemberActions permission. This ensures that only users with the appropriate permissions see this menu.

apiserver/plane/app/views/issue/activity.py (2)

22-22: Import the allow_permission decorator.

The allow_permission decorator is imported for use in the endpoint. Ensure that this decorator is correctly implemented and enforces the intended permissions.

36-36: Apply allow_permission decorator to get method.

The allow_permission decorator is applied to the get method, restricting access to users with "ADMIN", "MEMBER", "GUEST", and "VIEWER" roles. This enhances access control for the endpoint.

apiserver/plane/app/views/issue/attachment.py (4)

18-18: Import the allow_permission decorator.

The allow_permission decorator is imported to manage permissions at the method level. Ensure that this decorator is correctly implemented and enforces the intended permissions.

25-25: Apply allow_permission decorator to post method.

The allow_permission decorator is applied to the post method, allowing "ADMIN", "MEMBER", and "GUEST" roles to create attachments. This broadens access while maintaining control.

47-47: Apply allow_permission decorator to delete method.

The allow_permission decorator is applied to the delete method, allowing only "ADMIN" users and the creator of the attachment to delete it. This ensures that deletions are controlled and secure.

66-66: Apply allow_permission decorator to get method.

The allow_permission decorator is applied to the get method, allowing "ADMIN", "MEMBER", "GUEST", and "VIEWER" roles to access attachments. This enhances accessibility while maintaining security.

apiserver/plane/app/views/exporter/base.py (2)

65-65: Ensure consistent permission handling.

The @allow_permission decorator is used for both post and get methods. Verify that this approach is consistently applied across other endpoints requiring similar permissions.

Verification successful

Consistent Permission Handling Verified

The @allow_permission decorator is consistently used across various endpoints in the codebase, with different roles and levels tailored to specific needs. This indicates a consistent approach to permission management.

  • Examples found in files like apiserver/plane/app/views/workspace/favorite.py, apiserver/plane/app/views/project/member.py, and many others.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify consistent usage of `@allow_permission` across other endpoints.

# Test: Search for usage of `@allow_permission`. Expect: Consistent application across similar endpoints.
rg --type python '@allow_permission'

Length of output: 67

Script:

#!/bin/bash
# Description: Verify consistent usage of `@allow_permission` across other endpoints.

# Test: Search for usage of `@allow_permission`. Expect: Consistent application across similar endpoints.
rg -t py '@allow_permission'

Length of output: 11556

18-18: Verify the implementation of @allow_permission.

The @allow_permission decorator introduces a new way to handle permissions. Ensure that its implementation correctly validates roles and levels as intended.

Verification successful

The @allow_permission decorator correctly validates roles and levels.

The implementation of the allow_permission decorator includes logic for checking user roles and levels. It verifies if the user has the required role within a workspace or project context and handles creator-specific permissions if necessary. If the user does not meet the conditions, it returns a permission denied response.

  • The decorator checks for creator permissions if the creator flag is set and a model is provided.
  • It validates roles based on the level parameter, supporting both "WORKSPACE" and other levels.
  • If the conditions are not met, it responds with an unauthorized error message.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation of the `@allow_permission` decorator.

# Test: Search for the implementation of `@allow_permission`. Expect: Correct validation of roles and levels.
ast-grep --lang python --pattern $'def allow_permission(roles, level):\n  $$$\n'

Length of output: 79

Script:

#!/bin/bash
# Broaden the search for the `allow_permission` decorator by looking for its definition and usage.
# This will help locate its implementation and understand its functionality.

# Search for the definition of `allow_permission` in the codebase.
rg 'def allow_permission' -A 10

# Search for any usage of `allow_permission` as a decorator.
rg '@allow_permission'

Length of output: 12452

Script:

#!/bin/bash
# Extract more lines from the `allow_permission` implementation to understand its logic.

# Get the full implementation of `allow_permission` to ensure correct validation of roles and levels.
rg 'def allow_permission' -A 50 apiserver/plane/app/permissions/base.py

Length of output: 1670

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/header.tsx (2)

73-83: Validate link rendering based on access levels.

The rendering of links is conditional on projectMemberInfo meeting or exceeding item.access. Ensure this logic correctly reflects intended access control.

Verification successful

Link Rendering Logic is Correctly Implemented

The PROJECT_SETTINGS_LINKS array defines access levels using the access property, which aligns with the conditional rendering logic in the code. The logic correctly checks if projectMemberInfo meets or exceeds the required access level to render each link. No issues found.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify link rendering logic based on access levels.

# Test: Search for `PROJECT_SETTINGS_LINKS` and verify access level conditions. Expect: Correct conditional rendering.
rg --type js 'PROJECT_SETTINGS_LINKS'

Length of output: 37

Script:

#!/bin/bash
# Description: Search for the definition of `PROJECT_SETTINGS_LINKS` across all file types to understand its structure.
rg 'PROJECT_SETTINGS_LINKS'

Length of output: 678

Script:

#!/bin/bash
# Description: Extract the definition of `PROJECT_SETTINGS_LINKS` to verify its structure and access levels.
rg --type js --context 10 'PROJECT_SETTINGS_LINKS' web/core/constants/project.ts

Length of output: 1738

27-27: Review role assignment logic.

The projectMemberInfo variable defaults to EUserProjectRoles.GUEST if currentProjectRole is undefined. Ensure this logic aligns with intended role assignments.

Verification successful

Role assignment logic is consistent.

The projectMemberInfo variable defaults to EUserProjectRoles.GUEST when currentProjectRole is undefined, which aligns with the usage of EUserProjectRoles across the codebase. This behavior appears intentional and consistent with the role hierarchy.

  • EUserProjectRoles is defined as an enum with roles including GUEST, VIEWER, MEMBER, and ADMIN.
  • The default assignment to GUEST is used consistently in other parts of the codebase.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the role assignment logic for `projectMemberInfo`.

# Test: Search for the definition and usage of `EUserProjectRoles.GUEST`. Expect: Logical default assignment.
rg --type js 'EUserProjectRoles.GUEST'

Length of output: 38

Script:

#!/bin/bash
# Search for the definition of `EUserProjectRoles` to understand its context.
rg --type js 'EUserProjectRoles'

# Search for the usage of `projectMemberInfo` to see how it is used in the codebase.
rg --type js 'projectMemberInfo'

Length of output: 65

Script:

#!/bin/bash
# Search for the definition and usage of `EUserProjectRoles` in both JavaScript and TypeScript files.
rg --type-add 'jsts:*.{js,jsx,ts,tsx}' --type jsts 'EUserProjectRoles'

# Search for the definition and usage of `projectMemberInfo` in both JavaScript and TypeScript files.
rg --type-add 'jsts:*.{js,jsx,ts,tsx}' --type jsts 'projectMemberInfo'

# Search for import/export statements related to `EUserProjectRoles` to find its module.
rg --type jsts 'import.*EUserProjectRoles|export.*EUserProjectRoles'

Length of output: 25962

web/app/[workspaceSlug]/(projects)/settings/api-tokens/page.tsx (2)

45-46: Check unauthorized view rendering.

The NotAuthorizedView component is used for unauthorized access. Ensure it provides a consistent user experience across different unauthorized scenarios.

Verification successful

Consistent unauthorized view rendering confirmed.

The NotAuthorizedView component is consistently used across multiple settings pages to handle unauthorized access, ensuring a uniform user experience. The component is defined in web/core/components/auth-screens/not-authorized-view.tsx and imported in various settings-related files.

  • Component Definition: web/core/components/auth-screens/not-authorized-view.tsx
  • Consistent Usage: Confirmed in multiple settings-related pages.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage and rendering logic of `NotAuthorizedView`.

# Test: Search for the implementation of `NotAuthorizedView`. Expect: Consistent user experience for unauthorized access.
rg --type js 'NotAuthorizedView'

Length of output: 32

Script:

#!/bin/bash
# Search for the `NotAuthorizedView` component definition in the codebase using `ast-grep`.
ast-grep --lang javascript --pattern 'function NotAuthorizedView($_) { $$$ }'
ast-grep --lang javascript --pattern 'const NotAuthorizedView = ($_$$$) => { $$$ }'
ast-grep --lang javascript --pattern 'class NotAuthorizedView { $$$ }'

Length of output: 238

Script:

#!/bin/bash
# Search for `NotAuthorizedView` in TypeScript files and check for import statements.
rg --type ts 'NotAuthorizedView'
rg --type ts 'import .*NotAuthorizedView'

Length of output: 4838

32-32: Verify canPerformWorkspaceAdminActions logic.

The canPerformWorkspaceAdminActions property is used to determine admin capabilities. Ensure its implementation correctly encapsulates necessary permissions.

web/core/components/pages/list/block-item-action.tsx (3)

15-15: Import addition approved.

The addition of useProject is necessary for fetching project details.

30-38: Logic changes approved.

The logic for fetching project details and determining user roles is correctly implemented.

84-93: Conditional rendering approved.

The FavoriteStar component is correctly rendered only for users who are not viewers or guests.

apiserver/plane/app/views/workspace/favorite.py (1)

17-17: Decorator usage approved.

The @allow_permission decorator is correctly applied to enhance permission management for HTTP methods.

Also applies to: 35-35, 48-48, 61-61, 72-72

web/app/[workspaceSlug]/(projects)/settings/webhooks/page.tsx (2)

27-35: Authorization logic approved.

The use of canPerformWorkspaceAdminActions for authorization checks and data fetching is correctly implemented.

45-47: Rendering logic approved.

The NotAuthorizedView component is correctly rendered for unauthorized users.

apiserver/plane/app/views/search/issue.py (1)

77-85: Verify role-based filtering logic.

The added logic filters issues created by the user if they have role 5. Ensure that this role is correctly defined and that the logic aligns with the intended permission model.

apiserver/plane/app/views/issue/label.py (2)

46-46: Confirm allow_permission decorator usage.

The allow_permission decorator is applied to enforce role-based access. Ensure that the roles specified ("ADMIN", "MEMBER") align with the intended access control policies.

Also applies to: 69-69, 76-76, 82-82

Verification successful

Consistent use of allow_permission decorator with specified roles.

The allow_permission decorator with roles ["ADMIN", "MEMBER"] is consistently applied across multiple files and methods, indicating alignment with the intended access control policies. No issues found.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the `allow_permission` decorator roles.

# Test: Search for the `allow_permission` decorator to ensure roles are correctly assigned.
rg --type python '@allow_permission\(\["ADMIN", "MEMBER"\]\)' -A 5

Length of output: 99

Script:

#!/bin/bash
# Description: Verify the `allow_permission` decorator roles.

# Test: Search for the `allow_permission` decorator with specified roles.
rg '@allow_permission\(\["ADMIN", "MEMBER"\]\)' --glob '*.py' -A 5

Length of output: 19640

14-14: Ensure compatibility with ProjectBasePermission.

The permission class has been updated to ProjectBasePermission. Verify that this class provides the necessary permissions and is compatible with the existing logic.

Verification successful

ProjectBasePermission is compatible with existing logic.

The ProjectBasePermission class is implemented with methods to handle user permissions based on roles and request methods, ensuring appropriate access control. This confirms its compatibility and correctness within the codebase.

  • The has_permission method effectively checks user roles and request types to grant or deny access.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation of `ProjectBasePermission`.

# Test: Search for the definition of `ProjectBasePermission` to ensure it contains the necessary logic.
ast-grep --lang python --pattern $'class ProjectBasePermission($_) { $$$ }'

Length of output: 538

Script:

#!/bin/bash
# Description: Verify the implementation of `ProjectBasePermission`.

# Test: Correct the pattern to search for the definition of `ProjectBasePermission`.
ast-grep --lang python --pattern 'class ProjectBasePermission:'

Length of output: 65

Script:

#!/bin/bash
# Description: Search for any mention of `ProjectBasePermission` across the codebase to gather more context.

rg 'ProjectBasePermission'

Length of output: 922

Script:

#!/bin/bash
# Description: Extract the full definition of `ProjectBasePermission` from its source file.

ast-grep --lang python --pattern 'class ProjectBasePermission: $$$' apiserver/plane/app/permissions/project.py

Length of output: 112

Script:

#!/bin/bash
# Description: Extract lines around the definition of `ProjectBasePermission` to verify its structure.

rg -A 20 'class ProjectBasePermission' apiserver/plane/app/permissions/project.py

Length of output: 885

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/views/(list)/header.tsx (1)

79-83: Assess impact of always rendering "Add view" button.

The "Add view" button is now always rendered, regardless of user permissions. Ensure this change aligns with the intended functionality and does not compromise access control.

web/app/[workspaceSlug]/(projects)/settings/members/page.tsx (5)

12-12: Import Addition Approved.

The addition of NotAuthorizedView is appropriate as it is used for rendering unauthorized access views.

32-34: Permission Hooks Integration Approved.

The new hooks canPerformWorkspaceAdminActions, canPerformWorkspaceViewerActions, and canPerformWorkspaceMemberActions improve clarity and maintainability by encapsulating permission logic.

88-91: Unauthorized Access Handling Approved.

The conditional rendering of NotAuthorizedView ensures that users without viewer permissions are appropriately redirected, enhancing security.

101-104: Conditional Styling Approved.

The conditional opacity styling based on canPerformWorkspaceMemberActions provides a clear visual cue regarding user permissions.

118-120: "Add Member" Button Logic Approved.

The visibility of the "Add member" button is correctly controlled by canPerformWorkspaceAdminActions, aligning with the permission model.

apiserver/plane/app/views/webhook/base.py (7)

12-12: Import Addition Approved.

The addition of the allow_permission import is necessary for the updated permission handling logic.

18-20: Permission Decorator Approved for POST Method.

The @allow_permission(roles=["ADMIN"], level="WORKSPACE") decorator correctly restricts access to the post method for users with the "ADMIN" role.

41-43: Permission Decorator Approved for GET Method.

The @allow_permission(roles=["ADMIN"], level="WORKSPACE") decorator correctly restricts access to the get method for users with the "ADMIN" role.

81-83: Permission Decorator Approved for PATCH Method.

The @allow_permission(roles=["ADMIN"], level="WORKSPACE") decorator correctly restricts access to the patch method for users with the "ADMIN" role.

107-109: Permission Decorator Approved for DELETE Method.

The @allow_permission(roles=["ADMIN"], level="WORKSPACE") decorator correctly restricts access to the delete method for users with the "ADMIN" role.

116-118: Permission Decorator Approved for WebhookSecretRegenerateEndpoint POST Method.

The @allow_permission(roles=["ADMIN"], level="WORKSPACE") decorator correctly restricts access to the post method for users with the "ADMIN" role.

127-129: Permission Decorator Approved for WebhookLogsEndpoint GET Method.

The @allow_permission(roles=["ADMIN"], level="WORKSPACE") decorator correctly restricts access to the get method for users with the "ADMIN" role.

apiserver/plane/app/views/external/base.py (3)

14-16: Import Addition Approved.

The addition of the allow_permission import is necessary for the updated permission handling logic.

27-29: Permission Decorator Approved for GPTIntegrationEndpoint POST Method.

The @allow_permission(["ADMIN", "MEMBER"]) decorator correctly restricts access to the post method for users with the "ADMIN" or "MEMBER" role.

88-90: Permission Decorator Approved for WorkspaceGPTIntegrationEndpoint POST Method.

The @allow_permission(roles=["ADMIN", "MEMBER"], level="WORKSPACE") decorator correctly restricts access to the post method for users with the "ADMIN" or "MEMBER" role.

web/app/[workspaceSlug]/(projects)/workspace-views/header.tsx (1)

139-142: Review the impact of removing role-based checks.

The removal of the isAuthorizedUser check means the "Add view" button is now accessible to all users, regardless of their role. This could lead to unauthorized access to functionality intended for specific roles.

Please ensure that this change aligns with the intended access control policies. If necessary, consider reintroducing role-based checks to maintain security.

web/core/components/project/settings/member-columns.tsx (1)

103-114: Ensure role-checking logic aligns with intended permissions.

The checkCurrentOptionWorkspaceRole function filters roles based on the current user's workspace role. Verify that this logic correctly reflects the intended role hierarchy and permissions.

Please confirm that the filtering logic meets the project's requirements for role management.

web/core/constants/project.ts (1)

82-90: Review changes to access levels for project settings.

The access levels for "General" and "Members" settings have been lowered, allowing broader access. Ensure these changes align with your security policies and do not inadvertently grant unauthorized access.

Please review the broader impact of these changes on access control and user permissions.

web/core/layouts/auth-layout/workspace-wrapper.tsx (1)

75-80: Ensure consistent permission checks for fetching data.

The conditional check for canPerformWorkspaceMemberActions before fetching workspace favorites is a good addition. Ensure similar permission checks are applied consistently across other data fetching logic to maintain security and access control.

Verification successful

Consistent Permission Checks Verified

The search results indicate that canPerformWorkspaceMemberActions is used consistently across various components in the codebase to control access and permissions. This includes its use in workspace-wrapper.tsx, command-palette.tsx, and several other files, ensuring that permission checks are applied uniformly for data fetching and UI interactions.

  • Files with permission checks:
    • web/core/layouts/auth-layout/workspace-wrapper.tsx
    • web/core/components/command-palette/command-palette.tsx
    • web/app/[workspaceSlug]/(projects)/sidebar.tsx
    • web/app/[workspaceSlug]/(projects)/settings/members/page.tsx
    • web/app/[workspaceSlug]/(projects)/settings/exports/page.tsx

These checks help maintain security and access control throughout the application.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify consistent permission checks for data fetching.

# Test: Search for conditional checks involving `canPerformWorkspaceMemberActions`.
rg --type tsx 'canPerformWorkspaceMemberActions'

Length of output: 76

Script:

#!/bin/bash
# Description: Verify consistent permission checks for data fetching.

# Test: Search for conditional checks involving `canPerformWorkspaceMemberActions` in .ts and .tsx files.
rg 'canPerformWorkspaceMemberActions' --glob '*.ts' --glob '*.tsx'

Length of output: 1759

apiserver/plane/app/views/issue/comment.py (3)

123-123: Check creator condition for comment deletion.

The destroy method restricts access to "ADMIN" and the creator of the comment. Ensure this condition is correctly implemented and aligns with the application's requirements.

Verification successful

Creator Condition for Comment Deletion is Correctly Implemented

The allow_permission decorator correctly enforces the creator condition by checking if the user is the creator of the IssueComment before allowing deletion. This aligns with the application's requirements.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the creator condition enforcement in `destroy`.

# Test: Search for the implementation of `allow_permission` to ensure correct enforcement.
rg --type py 'allow_permission'

Length of output: 14565

Script:

#!/bin/bash
# Description: Examine the implementation of `allow_permission` to verify how the `creator` condition is enforced.

# Locate the implementation of `allow_permission` in the permissions module.
rg --type py 'def allow_permission' -A 20

Length of output: 1720

66-66: Verify role inclusivity for comment creation.

The create method now allows roles "ADMIN", "MEMBER", "GUEST", and "VIEWER". Verify that this inclusivity aligns with the application's security policies and user role definitions.

91-91: Ensure creator condition is correctly enforced.

The partial_update method includes a creator condition. Verify that the allow_permission decorator correctly enforces this condition for the intended roles.

Verification successful

Creator Condition is Correctly Enforced in allow_permission Decorator

The allow_permission decorator correctly enforces the creator condition by checking if the user is the creator of the object before proceeding with role-based permission checks. This ensures that only the creator can perform actions on their objects, as intended.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the enforcement of the creator condition in `partial_update`.

# Test: Search for the implementation of `allow_permission` to ensure correct enforcement.
rg --type py 'allow_permission'

Length of output: 14565

Script:

#!/bin/bash
# Extract the implementation of the allow_permission function to verify the enforcement of the creator condition.
ast-grep --lang python --pattern 'def allow_permission(roles, level="PROJECT", creator=False, model=None): {$$$}' apiserver/plane/app/permissions/base.py

Length of output: 155

Script:

#!/bin/bash
# Search for the implementation of the allow_permission function to verify the enforcement of the creator condition.
rg 'def allow_permission' -A 20 apiserver/plane/app/permissions/base.py

Length of output: 910

web/core/constants/dashboard.ts (2)

282-282: Confirm role change impact on user experience.

The access role for the "Cycles" menu item has been changed from GUEST to MEMBER. Verify that this change aligns with user access requirements and does not negatively impact user experience for non-member roles.

320-320: Review access role for "Your work" menu item.

The access role for the "Your work" menu item has been updated to MEMBER. Ensure this aligns with the intended access control strategy and does not restrict necessary access for other roles.

Verification successful

Verification Successful: Access role update aligns with existing access control logic.

The update to use EUserWorkspaceRoles.MEMBER for the "Your work" menu item is consistent with the access control strategy observed in the codebase. This role is used as a baseline for authorization across various components, ensuring that the change does not restrict necessary access for other roles.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the impact of role change on user experience for "Your work".

# Test: Search for documentation or code comments related to access requirements.
rg --type ts 'Your work'

Length of output: 795

Script:

#!/bin/bash
# Search for all occurrences of EUserWorkspaceRoles.MEMBER in the codebase to understand its usage.
rg 'EUserWorkspaceRoles\.MEMBER' --type ts -A 5

# Search for all references to the "Your work" menu item to see how access control is implemented.
rg 'Your work' --type ts -A 5

Length of output: 15163

apiserver/plane/app/views/estimate/base.py (2)

231-231: Verify deletion logic in destroy method.

Ensure that all related data and references are appropriately cleaned up when an estimate point is deleted.

Verification successful

Deletion logic in destroy method is correctly implemented.

The method updates related issues and rearranges keys of remaining estimate points before deleting the old estimate point, ensuring proper cleanup and maintenance of data integrity.

  • The method updates issues to a new estimate point ID if provided.
  • It rearranges the keys of remaining estimate points to maintain order.
  • Finally, it deletes the old estimate point.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the deletion logic for the `destroy` method in `EstimatePointEndpoint`.

# Test: Check for related cleanup logic in the codebase. Expect: References and related data are handled.
ast-grep --lang python --pattern $'def destroy(self, $_, $_, $_, $_, $_):\n  $$$\n  old_estimate_point.delete()'

Length of output: 3444

27-27: Verify the expanded access for get method.

The @allow_permission(["ADMIN", "MEMBER", "VIEWER"]) decorator broadens access to the get method. Ensure this change aligns with the security model and that exposing this data to VIEWER roles is intended.

web/core/store/user/index.ts (8)

295-297: LGTM: Workspace admin actions logic.

The computed property correctly checks for workspace admin role permissions.

303-304: LGTM: Workspace member actions logic.

The computed property correctly checks for workspace member role permissions or higher.

312-313: LGTM: Workspace viewer actions logic.

The computed property correctly checks for workspace viewer role permissions or higher.

320-321: LGTM: Workspace guest actions logic.

The computed property correctly checks for workspace guest role permissions or higher.

325-327: LGTM: Project admin actions logic.

The computed property correctly checks for project admin role permissions.

336-337: LGTM: Project member actions logic.

The computed property correctly checks for project member role permissions or higher.

345-346: LGTM: Project viewer actions logic.

The computed property correctly checks for project viewer role permissions or higher.

353-354: LGTM: Project guest actions logic.

The computed property correctly checks for project guest role permissions or higher.

apiserver/plane/app/views/module/issue.py (4)

308-308: Verify deletion logic in destroy method.

Ensure that all related data and references are appropriately cleaned up when a module issue is deleted.

95-95: Verify the expanded access for list method.

The @allow_permission(["ADMIN", "MEMBER", "VIEWER"]) decorator broadens access to the list method. Ensure this change aligns with the security model and that exposing this data to VIEWER roles is intended.

203-203: Verify bulk creation logic in create_module_issues method.

Ensure that all necessary validations are in place for the bulk creation of module issues to maintain data integrity.

245-245: Verify module management logic in create_issue_modules method.

Ensure that the logic for adding and removing modules is consistent and handles all edge cases, maintaining data integrity.

web/core/components/command-palette/command-palette.tsx (1)

46-47: Update Permission Logic: Ensure Correctness of Member Action Checks

The properties canPerformProjectMemberActions and canPerformWorkspaceMemberActions replace the previous creation action checks. Verify that these properties correctly reflect the intended permissions for member-level actions.

Verification successful

Verified: Member Action Permission Logic is Correct

The properties canPerformProjectMemberActions and canPerformWorkspaceMemberActions are correctly implemented and used throughout the codebase to control access to member-level actions. Their definitions and usage align with the intended permission checks.

  • Defined as booleans with computed properties in web/core/store/user/index.ts.
  • Used in web/core/components/command-palette/command-palette.tsx and other components to conditionally perform actions based on user permissions.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage and definition of `canPerformProjectMemberActions` and `canPerformWorkspaceMemberActions` in the codebase.

# Test: Search for the definitions and usages of these properties. Expect: Correct implementation and usage.
rg --type tsx 'canPerform(Project|Workspace)MemberActions'

Length of output: 88

Script:

#!/bin/bash
# Description: Verify the usage and definition of `canPerformProjectMemberActions` and `canPerformWorkspaceMemberActions` in the codebase.

# Test: Search for the definitions and usages of these properties in TypeScript files.
rg 'canPerform(Project|Workspace)MemberActions' --glob '*.ts' --glob '*.tsx'

Length of output: 2946

apiserver/plane/app/views/cycle/issue.py (3)

326-326: Verify Permission Decorator: destroy Method

The @allow_permission(["ADMIN", "MEMBER"]) decorator is applied to the destroy method. Ensure that this aligns with the intended access control for deleting cycle issues.

Verification successful

Verified Permission Decorator for destroy Method

The @allow_permission(["ADMIN", "MEMBER"]) decorator is indeed applied to the destroy method in the apiserver/plane/app/views/cycle/issue.py file. This matches the intended access control for deleting cycle issues.

  • File: apiserver/plane/app/views/cycle/issue.py
  • Line: 326

The application of the decorator aligns with the specified roles, confirming the correct implementation of access control for this method.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `@allow_permission` in the `destroy` method.

# Test: Search for the `destroy` method in the codebase to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class CycleIssueViewSet {\n  $$$\n  @allow_permission(["ADMIN", "MEMBER"])\n  def destroy(self, request, slug, project_id, cycle_id, issue_id):\n    $$$\n  $$$\n}'

Length of output: 772

Script:

#!/bin/bash
# Description: Verify the usage of `@allow_permission` in the `destroy` method with corrected pattern.

# Corrected Test: Search for the `destroy` method in the codebase to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class CycleIssueViewSet:\n  $$$\n  @allow_permission(["ADMIN", "MEMBER"])\n  def destroy(self, request, slug, project_id, cycle_id, issue_id):\n    $$$\n  $$$'

Length of output: 190

Script:

#!/bin/bash
# Description: Search for the `destroy` method in the codebase to verify its existence and decorators.

# Search for the `destroy` method in any class to check its existence.
ast-grep --lang python --pattern $'def destroy(self, $$$):\n  $$$'

# Search for any decorators applied to the `destroy` method.
ast-grep --lang python --pattern $'@$_\ndef destroy(self, $$$):\n  $$$'

Length of output: 103761

230-230: Verify Permission Decorator: create Method

The @allow_permission(["ADMIN", "MEMBER"]) decorator is applied to the create method. Ensure that this aligns with the intended access control for creating cycle issues.

Verification successful

Verification Successful: Permission Decorator on create Method

The @allow_permission(["ADMIN", "MEMBER"]) decorator is correctly applied to the create method in the CycleIssueViewSet class. This aligns with the intended access control for creating cycle issues.

  • File: apiserver/plane/app/views/cycle/issue.py
  • Method: create
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `@allow_permission` in the `create` method.

# Test: Search for the `create` method in the codebase to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class CycleIssueViewSet {\n  $$$\n  @allow_permission(["ADMIN", "MEMBER"])\n  def create(self, request, slug, project_id, cycle_id):\n    $$$\n  $$$\n}'

Length of output: 750

Script:

#!/bin/bash
# Corrected the pattern to match Python's syntax for the `create` method in the `CycleIssueViewSet` class.
ast-grep --lang python --pattern $'class CycleIssueViewSet:\n  $$$\n  @allow_permission(["ADMIN", "MEMBER"])\n  def create(self, request, slug, project_id, cycle_id):\n    $$$\n'

Length of output: 174

Script:

#!/bin/bash
# Search for the `CycleIssueViewSet` class definition in the codebase.
ast-grep --lang python --pattern 'class CycleIssueViewSet:\n    $$$\n'

# Search for all `create` methods in the codebase to find their decorators.
ast-grep --lang python --pattern 'def create(self, $$$):\n    $$$\n'

Length of output: 833

Script:

#!/bin/bash
# Use ripgrep to search for the `CycleIssueViewSet` class and list its methods.
rg -A 10 'class CycleIssueViewSet' --glob '*.py'

# Use ripgrep to search for the `create` method and its decorators.
rg -A 3 'def create' --glob '*.py'

Length of output: 34000

Script:

#!/bin/bash
# Search for the `create` method in `apiserver/plane/app/views/cycle/issue.py` and include context lines to capture decorators.
rg -A 5 -B 2 'def create' apiserver/plane/app/views/cycle/issue.py

Length of output: 322

83-83: Verify Permission Decorator: list Method

The @allow_permission(["ADMIN", "MEMBER", "VIEWER"]) decorator is applied to the list method. Ensure that this aligns with the intended access control for listing cycle issues.

Verification successful

Permission Decorator Verified: list Method

The @allow_permission(["ADMIN", "MEMBER", "VIEWER"]) decorator is correctly applied to the list method in apiserver/plane/app/views/cycle/issue.py. This aligns with the intended access control for listing cycle issues. No further action is needed.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `@allow_permission` in the `list` method.

# Test: Search for the `list` method in the codebase to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class CycleIssueViewSet {\n  $$$\n  @allow_permission(["ADMIN", "MEMBER", "VIEWER"])\n  def list(self, request, slug, project_id, cycle_id):\n    $$$\n  $$$\n}'

Length of output: 766

Script:

#!/bin/bash
# Description: Verify the usage of `@allow_permission` in the `list` method with corrected syntax.

# Test: Search for the `list` method in the codebase to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class CycleIssueViewSet:\n  $$$\n  @allow_permission(["ADMIN", "MEMBER", "VIEWER"])\n  def list(self, request, slug, project_id, cycle_id):\n    $$$\n  $$$\n'

Length of output: 188

Script:

#!/bin/bash
# Description: Search for the `list` method in the `CycleIssueViewSet` class to verify its existence and definition.

# Test: Search for the `list` method within the `CycleIssueViewSet` class.
ast-grep --lang python --pattern $'class CycleIssueViewSet:\n  $$$\n  def list(self, $_$$):\n    $$$\n  $$$\n'

Length of output: 106

Script:

#!/bin/bash
# Description: Search for the `CycleIssueViewSet` class to verify its existence.

# Test: Search for the `CycleIssueViewSet` class in the codebase.
ast-grep --lang python --pattern $'class CycleIssueViewSet:\n  $$$\n'

# Description: Search for any `list` methods in the codebase.

# Test: Search for `list` methods in the codebase.
ast-grep --lang python --pattern $'def list($_$$):\n    $$$\n'

Length of output: 130

Script:

#!/bin/bash
# Description: Search for the usage of the `@allow_permission` decorator in the codebase.

# Test: Search for the `@allow_permission` decorator usage.
rg '@allow_permission' -A 5

Length of output: 62228

apiserver/plane/app/views/analytic/base.py (4)

203-203: Verify Permission Decorator: get Method in SavedAnalyticEndpoint

The @allow_permission(["ADMIN", "MEMBER", "VIEWER"]) decorator is applied to the get method. Ensure that this aligns with the intended access control for retrieving saved analytics.

299-299: Verify Permission Decorator: get Method in DefaultAnalyticsEndpoint

The @allow_permission(["ADMIN", "MEMBER", "VIEWER", "GUEST"]) decorator is applied to the get method. Ensure that this aligns with the intended access control for default analytics data.

Verification successful

Verified: Permission Decorator on get Method in DefaultAnalyticsEndpoint

The @allow_permission(["ADMIN", "MEMBER", "VIEWER", "GUEST"], level="WORKSPACE") decorator is correctly applied to the get method in the DefaultAnalyticsEndpoint class. This aligns with the intended access control for default analytics data.

  • Location: apiserver/plane/app/views/analytic/base.py
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `@allow_permission` in the `get` method of `DefaultAnalyticsEndpoint`.

# Test: Search for the `get` method in the `DefaultAnalyticsEndpoint` class to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class DefaultAnalyticsEndpoint {\n  $$$\n  @allow_permission(["ADMIN", "MEMBER", "VIEWER", "GUEST"], level="WORKSPACE")\n  def get(self, request, slug):\n    $$$\n  $$$\n}'

Length of output: 790

Script:

#!/bin/bash
# Description: Verify the usage of `@allow_permission` in the `get` method of `DefaultAnalyticsEndpoint`.

# Corrected Test: Search for the `get` method in the `DefaultAnalyticsEndpoint` class to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class DefaultAnalyticsEndpoint:\n  $$$\n  @allow_permission(["ADMIN", "MEMBER", "VIEWER", "GUEST"], level="WORKSPACE")\n  def get(self, request, slug):\n    $$$\n  $$$\n'

Length of output: 200

Script:

#!/bin/bash
# Description: List methods in the `DefaultAnalyticsEndpoint` class to verify the presence of the `get` method and its decorators.

# Search for the `DefaultAnalyticsEndpoint` class and list its methods.
ast-grep --lang python --pattern $'class DefaultAnalyticsEndpoint:\n    $$$\n' --json | jq -r '.[] | .matches[] | select(.kind == "function_definition") | .name'

Length of output: 160

Script:

#!/bin/bash
# Description: Search for the `DefaultAnalyticsEndpoint` class definition in the codebase.

# Use ripgrep to search for the class definition across the codebase.
rg 'class DefaultAnalyticsEndpoint' --glob '*.py' -A 5

Length of output: 577

234-234: Verify Permission Decorator: post Method in ExportAnalyticsEndpoint

The @allow_permission(["ADMIN", "MEMBER", "VIEWER"]) decorator is applied to the post method. Ensure that this aligns with the intended access control for exporting analytics data.

Verification successful

Verification Successful: Permission Decorator on post Method in ExportAnalyticsEndpoint

The ExportAnalyticsEndpoint class indeed contains a post method with the @allow_permission(["ADMIN", "MEMBER", "VIEWER"], level="WORKSPACE") decorator. This aligns with the intended access control for exporting analytics data as described in the review comment. The verification confirms that the decorator is correctly applied.

  • File: apiserver/plane/app/views/analytic/base.py
  • Class: ExportAnalyticsEndpoint
  • Method: post
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `@allow_permission` in the `post` method of `ExportAnalyticsEndpoint`.

# Test: Search for the `post` method in the `ExportAnalyticsEndpoint` class to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class ExportAnalyticsEndpoint {\n  $$$\n  @allow_permission(["ADMIN", "MEMBER", "VIEWER"], level="WORKSPACE")\n  def post(self, request, slug):\n    $$$\n  $$$\n}'

Length of output: 772

Script:

#!/bin/bash
# Corrected script to verify the usage of `@allow_permission` in the `post` method of `ExportAnalyticsEndpoint`.

# Test: Search for the `post` method in the `ExportAnalyticsEndpoint` class to ensure the correct application of the `@allow_permission` decorator.
ast-grep --lang python --pattern $'class ExportAnalyticsEndpoint:\n  $$$\n  @allow_permission(["ADMIN", "MEMBER", "VIEWER"], level="WORKSPACE")\n  def post(self, request, slug):\n    $$$\n  $$$\n'

Length of output: 191

Script:

#!/bin/bash
# Search for the ExportAnalyticsEndpoint class and list all its methods to verify existence and decorators.

# Find the ExportAnalyticsEndpoint class definition
ast-grep --lang python --pattern $'class ExportAnalyticsEndpoint:\n  $$$\n'

# List all methods in the ExportAnalyticsEndpoint class
ast-grep --lang python --pattern $'class ExportAnalyticsEndpoint:\n  $$$\n  def $_($$):\n    $$$\n  $$$\n'

Length of output: 177

Script:

#!/bin/bash
# Search for any class names containing "ExportAnalytics" and list all their methods to verify existence and decorators.

# Find all class definitions containing "ExportAnalytics"
rg --pcre2 --multiline --multiline-dotall 'class\s+.*ExportAnalytics.*:\s*' -A 10

# Search for any `post` methods with decorators in the codebase
rg --pcre2 --multiline --multiline-dotall '@allow_permission\(\[.*\]\)\s*def post\(' -A 5

Length of output: 163785

23-23: Verify Permission Decorator: get Method in AnalyticsEndpoint

The @allow_permission(["ADMIN", "MEMBER", "VIEWER"]) decorator is applied to the get method. Ensure that this aligns with the intended access control for fetching analytics data.

apiserver/plane/app/views/issue/archive.py (5)

99-99: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the list method, aligning with the intended permission changes.

215-215: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the retrieve method, aligning with the intended permission changes.

259-259: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the archive method, aligning with the intended permission changes.

298-298: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the unarchive method, aligning with the intended permission changes.

330-330: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the post method, aligning with the intended permission changes.

apiserver/plane/app/views/notification/base.py (10)

43-45: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the list method, aligning with the intended permission changes.

175-177: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the partial_update method, aligning with the intended permission changes.

195-195: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the mark_read method, aligning with the intended permission changes.

205-205: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the mark_unread method, aligning with the intended permission changes.

215-215: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the archive method, aligning with the intended permission changes.

225-225: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the unarchive method, aligning with the intended permission changes.

238-240: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the get method, aligning with the intended permission changes.

279-279: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the create method, aligning with the intended permission changes.

363-363: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the get method, aligning with the intended permission changes.

374-374: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the patch method, aligning with the intended permission changes.

apiserver/plane/app/views/project/member.py (5)

67-67: LGTM: Permission decorator and role validation added correctly.

The @allow_permission decorator is appropriately applied to the create method, and the role validation logic ensures users cannot be assigned roles higher than their workspace role.

192-192: LGTM: Permission decorator added correctly.

The @allow_permission decorator is appropriately applied to the list method, aligning with the intended permission changes.

207-207: LGTM: Permission decorator and role update validation added correctly.

The @allow_permission decorator is appropriately applied to the partial_update method, and the role update validation logic prevents unauthorized role escalations.

264-264: LGTM: Permission decorator and removal validation added correctly.

The @allow_permission decorator is appropriately applied to the destroy method, and the logic prevents self-removal and unauthorized removals.

301-301: LGTM: Permission decorator and leave validation added correctly.

The @allow_permission decorator is appropriately applied to the leave method, and the logic prevents leaving if the user is the only admin.

web/core/components/project/send-project-invitation-modal.tsx (5)

59-60: Enhance form state management with watch and setValue

The addition of watch and setValue improves dynamic form updates. Ensure that these functions are used correctly to manage form state changes.

172-183: Review checkCurrentOptionWorkspaceRole function

The function checkCurrentOptionWorkspaceRole filters roles based on the current member's workspace role. Ensure that the logic correctly restricts roles for guests and viewers.

297-299: Use checkCurrentOptionWorkspaceRole for role options

The use of checkCurrentOptionWorkspaceRole ensures that role options are contextually relevant. Verify that the function is used consistently across the component.

15-15: Import EUserWorkspaceRoles and ROLE

The import of EUserWorkspaceRoles and ROLE indicates enhanced role management capabilities. Ensure these constants are correctly defined and used consistently throughout the code.

Verification successful

Definitions and Usage of EUserWorkspaceRoles and ROLE Verified

The EUserWorkspaceRoles and ROLE constants are defined and used consistently across multiple files in the codebase, indicating proper role management implementation. Here are the key points:

  • Definition:

    • EUserWorkspaceRoles is defined as an enum in web/core/constants/workspace.ts.
    • ROLE is also defined in the same file.

  • Usage:

    • These constants are imported and used in various files for role management, such as checking user roles and setting access levels.

This confirms that EUserWorkspaceRoles and ROLE are correctly defined and utilized throughout the codebase. No issues found.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the definition of EUserWorkspaceRoles and ROLE in the codebase.
rg --type typescript 'EUserWorkspaceRoles|ROLE'

Length of output: 84

Script:

#!/bin/bash
# Correcting the file type to search for TypeScript files and verify the definition of EUserWorkspaceRoles and ROLE in the codebase.
rg --type ts 'EUserWorkspaceRoles|ROLE'

Length of output: 16988

255-262: Dynamic role update on member ID change

The logic to update the role based on the member ID change ensures that the correct workspace role is set. Verify that getWorkspaceMemberDetails returns accurate role information.

Verification successful

Verification of getWorkspaceMemberDetails

The getWorkspaceMemberDetails function is implemented as a method within the workspace member store (workspace-member.store.ts). It is used consistently across various components to retrieve member details. This suggests that it is correctly integrated into the workspace management logic, and its role information retrieval should be accurate if the store is correctly maintained.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the implementation of getWorkspaceMemberDetails function.
rg --type typescript 'function getWorkspaceMemberDetails'

Length of output: 94

Script:

#!/bin/bash
# Search for the implementation of getWorkspaceMemberDetails function in the codebase.
rg 'function getWorkspaceMemberDetails'

Length of output: 41

Script:

#!/bin/bash
# Search for import statements of getWorkspaceMemberDetails in the codebase.
rg 'import.*getWorkspaceMemberDetails'

Length of output: 40

Script:

#!/bin/bash
# Search for any usage of getWorkspaceMemberDetails in the codebase to gather more context.
rg 'getWorkspaceMemberDetails'

Length of output: 2779

apiserver/plane/app/views/page/base.py (14)

22-22: Import allow_permission for enhanced permission management

The import of allow_permission indicates a shift to method-level permission management. Ensure that this decorator is correctly applied to methods requiring specific role access.

122-122: Apply allow_permission to create method

The create method now requires "ADMIN" or "MEMBER" roles. Verify that this aligns with the intended access control policies.

144-144: Apply allow_permission to partial_update method

The partial_update method now requires "ADMIN" or "MEMBER" roles. Ensure this change is consistent with other update methods.

210-210: Apply allow_permission to retrieve method

The retrieve method now allows "ADMIN", "MEMBER", and "VIEWER" roles. Verify that this provides the intended level of access.

Line range hint 229-239: Apply allow_permission to lock and unlock methods

Both methods now require "ADMIN" or "MEMBER" roles. Ensure this is consistent with the security model across the application.

250-250: Apply allow_permission to access method

The access method now requires "ADMIN" or "MEMBER" roles. Verify that this aligns with the intended access control policies.

273-273: Apply allow_permission to list method

The list method now allows "ADMIN", "MEMBER", and "VIEWER" roles. Ensure this change is consistent with other list methods.

279-279: Apply allow_permission to archive method

The archive method now requires "ADMIN" or "MEMBER" roles. Verify that this aligns with the intended access control policies.

307-307: Apply allow_permission to unarchive method

The unarchive method now requires "ADMIN" or "MEMBER" roles. Ensure this change is consistent with other unarchive methods.

337-337: Apply allow_permission to destroy method

The destroy method now requires "ADMIN" role and checks for creator status. Verify that this provides the intended level of access.

383-383: Apply allow_permission to create method in PageFavoriteViewSet

The create method now requires "ADMIN" or "MEMBER" roles. Ensure this aligns with the intended access control policies.

393-393: Apply allow_permission to destroy method in PageFavoriteViewSet

The destroy method now requires "ADMIN" or "MEMBER" roles. Verify that this is consistent with other destroy methods.

465-465: Apply allow_permission to retrieve method in PagesDescriptionViewSet

The retrieve method now allows "ADMIN", "MEMBER", and "VIEWER" roles. Ensure this change is consistent with other retrieve methods.

490-490: Apply allow_permission to partial_update method in PagesDescriptionViewSet

The partial_update method now allows "ADMIN", "MEMBER", "VIEWER", and "GUEST" roles. Verify that this provides the intended level of access.

apiserver/plane/app/views/view/base.py (10)

25-25: Import allow_permission for enhanced permission management

The import of allow_permission indicates a shift to method-level permission management. Ensure that this decorator is correctly applied to methods requiring specific role access.

79-82: Apply allow_permission to list method in WorkspaceViewViewSet

The list method now allows "ADMIN", "MEMBER", "VIEWER", and "GUEST" roles. Verify that this provides the intended level of access.

101-103: Apply allow_permission to partial_update method in WorkspaceViewViewSet

The partial_update method now requires specific roles and checks for creator status. Ensure this aligns with the intended access control policies.

137-139: Apply allow_permission to destroy method in WorkspaceViewViewSet

The destroy method now requires "ADMIN" role and checks for creator status. Verify that this provides the intended level of access.

257-259: Apply allow_permission to list method in WorkspaceViewIssuesViewSet

The list method now allows "ADMIN", "MEMBER", "VIEWER", and "GUEST" roles. Ensure this change is consistent with other list methods.

419-419: Apply allow_permission to list method in IssueViewViewSet

The list method now allows "ADMIN", "MEMBER", "VIEWER", and "GUEST" roles. Verify that this provides the intended level of access.

440-441: Apply allow_permission to partial_update method in IssueViewViewSet

The partial_update method now requires specific roles and checks for creator status. Ensure this aligns with the intended access control policies.

474-475: Apply allow_permission to destroy method in IssueViewViewSet

The destroy method now requires "ADMIN" role and checks for creator status. Verify that this provides the intended level of access.

520-521: Apply allow_permission to create method in IssueViewFavoriteViewSet

The create method now requires "ADMIN" or "MEMBER" roles. Ensure this aligns with the intended access control policies.

531-532: Apply allow_permission to destroy method in IssueViewFavoriteViewSet

The destroy method now requires "ADMIN" or "MEMBER" roles. Verify that this is consistent with other destroy methods.

apiserver/plane/app/views/inbox/base.py (8)

65-68: LGTM!

The permission decorator is correctly applied to the list method in InboxViewSet.

73-74: LGTM!

The permission decorator is correctly applied to the perform_create method in InboxViewSet.

Line range hint 77-88: LGTM!

The permission decorator is correctly applied to the destroy method in InboxViewSet, and the logic for handling default inbox deletion is appropriate.

Line range hint 170-211: LGTM!

The permission decorator is correctly applied to the list method in InboxIssueViewSet, and the logic for filtering issues based on user roles is well-implemented.

Line range hint 221-322: LGTM!

The permission decorator is correctly applied to the create method in InboxIssueViewSet, and the validation logic is appropriate.

Line range hint 324-526: LGTM!

The permission decorator is correctly applied to the partial_update method in InboxIssueViewSet, and the role-checking logic is well-implemented.

Line range hint 519-553: LGTM!

The permission decorator is correctly applied to the retrieve method in InboxIssueViewSet, with appropriate role and creator checks.

Line range hint 558-577: LGTM!

The permission decorator is correctly applied to the destroy method in InboxIssueViewSet, with appropriate role and status checks.

apiserver/plane/app/views/issue/base.py (9)

Line range hint 63-111: LGTM!

The permission decorator is correctly applied to the get method in IssueListEndpoint, and the issue retrieval logic is appropriate.

Line range hint 225-334: LGTM!

The permission decorator is correctly applied to the list method in IssueViewSet, and the filtering and grouping logic is well-implemented.

Line range hint 340-413: LGTM!

The permission decorator is correctly applied to the create method in IssueViewSet, and the issue creation logic is appropriate.

Line range hint 415-486: LGTM!

The permission decorator is correctly applied to the retrieve method in IssueViewSet, with appropriate role and creator checks.

Line range hint 488-552: LGTM!

The permission decorator is correctly applied to the partial_update method in IssueViewSet, and the update logic is well-implemented.

Line range hint 554-575: LGTM!

The permission decorator is correctly applied to the destroy method in IssueViewSet, with appropriate role and activity tracking.

Line range hint 577-595: LGTM!

The permission decorator is correctly applied to the patch method in IssueUserDisplayPropertyEndpoint, and the update logic is appropriate.

Line range hint 597-604: LGTM!

The permission decorator is correctly applied to the get method in IssueUserDisplayPropertyEndpoint, and the retrieval logic is appropriate.

Line range hint 608-629: LGTM!

The permission decorator is correctly applied to the delete method in BulkDeleteIssuesEndpoint, and the deletion logic is appropriate.

web/core/components/workspace/sidebar/projects-list-item.tsx (2)

48-48: LGTM!

The import of useUser is appropriate for implementing role-based access control.

115-117: LGTM!

The use of useUser for role-based access control in the SidebarProjectsListItem component is well-implemented.

apiserver/plane/app/views/module/base.py (6)

322-322: Permissions for create method are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN", "MEMBER", and "VIEWER" roles for creating modules.

434-435: Permissions for retrieve method are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN", "MEMBER", and "VIEWER" roles for retrieving module details.

680-680: Permissions for partial_update method are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and "MEMBER" roles for updating modules.

750-750: Permissions for destroy method are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and checks if the user is the creator for deleting modules.

857-857: Permissions for patch and get methods in ModuleUserPropertiesEndpoint are broad.

The allow_permission decorator allows "ADMIN", "MEMBER", "VIEWER", and "GUEST" roles, which may be intentional for flexibility. Ensure this aligns with the intended access control.

Also applies to: 880-880

385-386: Permissions for list method include "GUEST" access.

The allow_permission decorator allows "GUEST" access, which may be intentional for broader visibility. Ensure this aligns with the intended access control.

web/core/constants/empty-state.ts (1)

493-493: Change in access property allows guest-level access.

The access property for PROJECT_VIEW now allows EUserProjectRoles.GUEST, which may affect visibility. Ensure this aligns with the intended access control.

apiserver/plane/app/views/cycle/base.py (10)

605-605: Permissions for create method are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and "MEMBER" roles for creating cycles.

679-679: Permissions for partial_update method are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and "MEMBER" roles for updating cycles.

767-767: Permissions for retrieve method are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN", "MEMBER", and "VIEWER" roles for retrieving cycle details.

1036-1036: Permissions for destroy method are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and checks if the user is the creator for deleting cycles.

1096-1096: Permissions for post method in CycleDateCheckEndpoint are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and "MEMBER" roles for checking cycle dates.

1140-1140: Permissions for create method in CycleFavoriteViewSet are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and "MEMBER" roles for creating cycle favorites.

1150-1150: Permissions for destroy method in CycleFavoriteViewSet are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and "MEMBER" roles for deleting cycle favorites.

1165-1165: Permissions for post method in TransferCycleIssueEndpoint are appropriate.

The allow_permission decorator correctly restricts access to "ADMIN" and "MEMBER" roles for transferring cycle issues.

318-318: Permissions for list method include "GUEST" access.

The allow_permission decorator allows "GUEST" access, which may be intentional for broader visibility. Ensure this aligns with the intended access control.

1576-1576: Permissions for patch and get methods in CycleUserPropertiesEndpoint are broad.

The allow_permission decorator allows "ADMIN", "MEMBER", "VIEWER", and "GUEST" roles, which may be intentional for flexibility. Ensure this aligns with the intended access control.

Also applies to: 1599-1599

apiserver/plane/app/views/cycle/archive.py (3)

291-291: Use of @allow_permission decorator for get method.

The @allow_permission decorator enhances granularity by allowing "ADMIN", "MEMBER", and "VIEWER" roles to access the get method. This change provides more flexible access control compared to the previous class-level permissions.

596-596: Use of @allow_permission decorator for post method.

The @allow_permission decorator restricts access to the post method to "ADMIN" and "MEMBER" roles, ensuring that only authorized users can archive cycles. This aligns with typical access control practices for actions that modify data.

615-615: Use of @allow_permission decorator for delete method.

The @allow_permission decorator restricts access to the delete method to "ADMIN" and "MEMBER" roles, ensuring that only authorized users can unarchive cycles. This change enhances security by preventing unauthorized modifications.

apiserver/plane/app/views/project/base.py (8)

155-157: Use of @allow_permission decorator for list method.

The @allow_permission decorator allows "ADMIN", "MEMBER", "VIEWER", and "GUEST" roles at the "WORKSPACE" level to access the list method. This change provides flexible access control, ensuring appropriate access based on workspace context.

193-195: Use of @allow_permission decorator for retrieve method.

The @allow_permission decorator allows "ADMIN", "MEMBER", "VIEWER", and "GUEST" roles at the "WORKSPACE" level to access the retrieve method. This change enhances flexibility in access control while maintaining security.

267-267: Use of @allow_permission decorator for create method.

The @allow_permission decorator restricts access to the create method to "ADMIN" and "MEMBER" roles at the "WORKSPACE" level. This ensures that only authorized users can create projects, enhancing security.

397-397: Use of @allow_permission decorator for partial_update method.

The @allow_permission decorator restricts access to the partial_update method to "ADMIN" and "MEMBER" roles at the "WORKSPACE" level. This change ensures that only authorized users can update project details, maintaining data integrity.

479-479: Use of @allow_permission decorator for post method in ProjectArchiveUnarchiveEndpoint.

The @allow_permission decorator restricts access to the post method to "ADMIN" and "MEMBER" roles, ensuring that only authorized users can archive projects. This enhances security by controlling access to critical operations.

489-489: Use of @allow_permission decorator for delete method in ProjectArchiveUnarchiveEndpoint.

The @allow_permission decorator restricts access to the delete method to "ADMIN" and "MEMBER" roles, ensuring that only authorized users can unarchive projects. This change enhances security by preventing unauthorized modifications.

498-498: Use of @allow_permission decorator for get method in ProjectIdentifierEndpoint.

The @allow_permission decorator restricts access to the get method to "ADMIN" and "MEMBER" roles at the "WORKSPACE" level. This ensures that only authorized users can access project identifiers, maintaining security.

517-517: Use of @allow_permission decorator for delete method in ProjectIdentifierEndpoint.

The @allow_permission decorator restricts access to the delete method to "ADMIN" and "MEMBER" roles at the "WORKSPACE" level. This change ensures that only authorized users can delete project identifiers, enhancing security.

apiserver/plane/app/views/dashboard/base.py (4)

55-62: Conditional filtering in dashboard_overview_stats.

The introduction of extra_filters based on WorkspaceMember enhances the relevance of issue statistics by considering user roles within the workspace. This change allows for more accurate data representation.

195-201: Conditional filtering in dashboard_assigned_issues.

The added filtering logic based on WorkspaceMember ensures that assigned issues are filtered by the creator when the user has a specific role. This enhances data accuracy and relevance.

446-454: Conditional filtering in dashboard_issues_by_state_groups.

The extra_filters based on WorkspaceMember allow for more precise issue counts by state groups, reflecting user roles within the workspace. This change improves the accuracy of the dashboard data.

486-494: Conditional filtering in dashboard_issues_by_priority.

The introduction of extra_filters based on WorkspaceMember enhances the relevance of issue counts by priority, considering user roles within the workspace. This change ensures more accurate data representation.

apiserver/plane/app/permissions/__init__.py Outdated
ProjectMemberPermission,
ProjectLitePermission,
)
from .base import allow_permission No newline at end of file
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove unused import allow_permission.

The import statement for allow_permission is currently unused in this module. Consider removing it or adding it to __all__ if it's intended to be part of the module's public API.

- from .base import allow_permission
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
from .base import allow_permission
Tools
Ruff

15-15: .base.allow_permission imported but unused; consider removing, adding to __all__, or using a redundant alias

(F401)

GitHub Check: Codacy Static Code Analysis

[notice] 15-15: apiserver/plane/app/permissions/init.py#L15
'.base.allow_permission' imported but unused (F401)

web/core/layouts/auth-layout/workspace-wrapper.tsx
const { resolvedTheme } = useTheme();
// store hooks
const { membership, signOut, data: currentUser } = useUser();
const { membership, signOut, data: currentUser, canPerformWorkspaceMemberActions } = useUser();
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enhance readability by destructuring useUser hook.

The addition of canPerformWorkspaceMemberActions is well-integrated. Consider destructuring the useUser hook to improve readability and maintainability if more properties are added in the future.

- const { membership, signOut, data: currentUser, canPerformWorkspaceMemberActions } = useUser();
+ const {
+   membership,
+   signOut,
+   data: currentUser,
+   canPerformWorkspaceMemberActions
+ } = useUser();
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const { membership, signOut, data: currentUser, canPerformWorkspaceMemberActions } = useUser();
const {
membership,
signOut,
data: currentUser,
canPerformWorkspaceMemberActions
} = useUser();

apiserver/plane/app/views/issue/comment.py Outdated
CommentReactionSerializer,
)
from plane.app.permissions import ProjectLitePermission
from plane.app.permissions import ProjectLitePermission, allow_permission
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove unused ProjectLitePermission.

The ProjectLitePermission import is no longer used after switching to the allow_permission decorator. Consider removing it to clean up the code.

- from plane.app.permissions import ProjectLitePermission, allow_permission
+ from plane.app.permissions import allow_permission
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
from plane.app.permissions import ProjectLitePermission, allow_permission
from plane.app.permissions import allow_permission

web/core/components/command-palette/command-palette.tsx
Comment on lines +132 to +139
if (!canPerformWorkspaceMemberActions && showToast)
setToast({
type: TOAST_TYPE.ERROR,
title: "You don't have permission to perform this action.",
});
return canPerformWorkspaceCreateActions;
return canPerformWorkspaceMemberActions;
},
[canPerformWorkspaceCreateActions]
[canPerformWorkspaceMemberActions]
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactor: Simplify Workspace Permission Check Logic

The performWorkspaceCreateActions function checks for workspace member permissions. Consider simplifying the logic by removing the showToast parameter if it's always true.

-  const performWorkspaceCreateActions = useCallback(
-    (showToast: boolean = true) => {
+  const performWorkspaceCreateActions = useCallback(() => {
       if (!canPerformWorkspaceMemberActions)
         setToast({
           type: TOAST_TYPE.ERROR,
           title: "You don't have permission to perform this action.",
         });
       return canPerformWorkspaceMemberActions;
     },
-    [canPerformWorkspaceMemberActions]
+    [canPerformWorkspaceMemberActions, setToast]
   );
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (!canPerformWorkspaceMemberActions && showToast)
setToast({
type: TOAST_TYPE.ERROR,
title: "You don't have permission to perform this action.",
});
return canPerformWorkspaceCreateActions;
return canPerformWorkspaceMemberActions;
},
[canPerformWorkspaceCreateActions]
[canPerformWorkspaceMemberActions]
const performWorkspaceCreateActions = useCallback(() => {
if (!canPerformWorkspaceMemberActions)
setToast({
type: TOAST_TYPE.ERROR,
title: "You don't have permission to perform this action.",
});
return canPerformWorkspaceMemberActions;
},
[canPerformWorkspaceMemberActions, setToast]

web/core/components/command-palette/command-palette.tsx
Comment on lines +106 to +114
if (!canPerformProjectMemberActions && showToast)
setToast({
type: TOAST_TYPE.ERROR,
title: "You don't have permission to perform this action.",
});

return canPerformProjectCreateActions;
return canPerformProjectMemberActions;
},
[canPerformProjectCreateActions]
[canPerformProjectMemberActions]
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactor: Simplify Permission Check Logic

The performProjectCreateActions function now checks for member-level permissions. Consider simplifying the logic by removing the redundant showToast parameter if it's always true.

-  const performProjectCreateActions = useCallback(
-    (showToast: boolean = true) => {
+  const performProjectCreateActions = useCallback(() => {
       if (!canPerformProjectMemberActions)
         setToast({
           type: TOAST_TYPE.ERROR,
           title: "You don't have permission to perform this action.",
         });
       return canPerformProjectMemberActions;
     },
-    [canPerformProjectMemberActions]
+    [canPerformProjectMemberActions, setToast]
   );
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (!canPerformProjectMemberActions && showToast)
setToast({
type: TOAST_TYPE.ERROR,
title: "You don't have permission to perform this action.",
});
return canPerformProjectCreateActions;
return canPerformProjectMemberActions;
},
[canPerformProjectCreateActions]
[canPerformProjectMemberActions]
const performProjectCreateActions = useCallback(() => {
if (!canPerformProjectMemberActions)
setToast({
type: TOAST_TYPE.ERROR,
title: "You don't have permission to perform this action.",
});
return canPerformProjectMemberActions;
}, [canPerformProjectMemberActions, setToast]);

web/core/components/workspace/sidebar/projects-list-item.tsx
Comment on lines +502 to +528
<>
{currentRole >= item.access && (
<Tooltip
key={item.name}
className={`pl-[18px] ${isSidebarCollapsed ? "p-0 size-7 justify-center mx-auto" : ""}`}
isActive={pathname.includes(item.href)}
isMobile={isMobile}
tooltipContent={`${project?.name}: ${item.name}`}
position="right"
className="ml-2"
disabled={!isSidebarCollapsed}
>
<div className="flex items-center gap-1.5 py-[1px]">
<item.Icon
className={`flex-shrink-0 size-4 ${item.name === "Intake" ? "stroke-1" : "stroke-[1.5]"}`}
/>
{!isSidebarCollapsed && <span className="text-xs font-medium">{item.name}</span>}
</div>
</SidebarNavItem>
</Link>
</Tooltip>
<Link key={item.name} href={item.href} onClick={handleProjectClick}>
<SidebarNavItem
key={item.name}
className={`pl-[18px] ${isSidebarCollapsed ? "p-0 size-7 justify-center mx-auto" : ""}`}
isActive={pathname.includes(item.href)}
>
<div className="flex items-center gap-1.5 py-[1px]">
<item.Icon
className={`flex-shrink-0 size-4 ${item.name === "Intake" ? "stroke-1" : "stroke-[1.5]"}`}
/>
{!isSidebarCollapsed && <span className="text-xs font-medium">{item.name}</span>}
</div>
</SidebarNavItem>
</Link>
</Tooltip>
)}
</>
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a key property to iterable elements.

Each child in a list should have a unique "key" prop to help React identify which items have changed, are added, or removed.

- {navigation(workspaceSlug?.toString(), project?.id).map((item) => {
+ {navigation(workspaceSlug?.toString(), project?.id).map((item, index) => {
+   const key = `${item.name}-${index}`;
    return (
      <>
-       {currentRole >= item.access && (
+       {currentRole >= item.access && (
+         <Tooltip key={key}
            ...
-         </Tooltip>
+         </Tooltip>
        )}
      </>
    );
  })}

Committable suggestion was skipped due to low confidence.

Tools
Biome

[error] 502-528: Missing key property for this element in iterable.

The order of the items may change, and having a key can help React identify which item was moved.
Check the React documentation.

(lint/correctness/useJsxKeyInIterable)

apiserver/plane/app/views/estimate/base.py Outdated
ProjectEntityPermission,
]

@allow_permission(["ADMIN", "MEMBER"])
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implement key validation in create method.

The TODO comment indicates missing key validation. Ensure that duplicate keys are handled to maintain data integrity.

Would you like assistance in implementing the key validation logic or opening a GitHub issue to track this task?

coderabbitai[bot]
coderabbitai bot reviewed Aug 14, 2024
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 3151bce and 05dc43e.

Files selected for processing (25)
  • apiserver/plane/app/permissions/init.py (1 hunks)
  • apiserver/plane/app/permissions/base.py (1 hunks)
  • apiserver/plane/app/views/analytic/base.py (5 hunks)
  • apiserver/plane/app/views/cycle/archive.py (5 hunks)
  • apiserver/plane/app/views/cycle/base.py (13 hunks)
  • apiserver/plane/app/views/cycle/issue.py (7 hunks)
  • apiserver/plane/app/views/estimate/base.py (5 hunks)
  • apiserver/plane/app/views/exporter/base.py (3 hunks)
  • apiserver/plane/app/views/external/base.py (3 hunks)
  • apiserver/plane/app/views/inbox/base.py (13 hunks)
  • apiserver/plane/app/views/issue/activity.py (2 hunks)
  • apiserver/plane/app/views/issue/archive.py (8 hunks)
  • apiserver/plane/app/views/issue/attachment.py (3 hunks)
  • apiserver/plane/app/views/issue/base.py (12 hunks)
  • apiserver/plane/app/views/issue/comment.py (5 hunks)
  • apiserver/plane/app/views/issue/label.py (4 hunks)
  • apiserver/plane/app/views/module/base.py (10 hunks)
  • apiserver/plane/app/views/module/issue.py (7 hunks)
  • apiserver/plane/app/views/notification/base.py (11 hunks)
  • apiserver/plane/app/views/page/base.py (17 hunks)
  • apiserver/plane/app/views/project/base.py (11 hunks)
  • apiserver/plane/app/views/project/member.py (8 hunks)
  • apiserver/plane/app/views/view/base.py (13 hunks)
  • apiserver/plane/app/views/webhook/base.py (5 hunks)
  • apiserver/plane/app/views/workspace/favorite.py (5 hunks)
Files skipped from review due to trivial changes (2)
  • apiserver/plane/app/views/issue/archive.py
  • apiserver/plane/app/views/webhook/base.py
Files skipped from review as they are similar to previous changes (17)
  • apiserver/plane/app/permissions/base.py
  • apiserver/plane/app/views/analytic/base.py
  • apiserver/plane/app/views/cycle/archive.py
  • apiserver/plane/app/views/cycle/base.py
  • apiserver/plane/app/views/cycle/issue.py
  • apiserver/plane/app/views/exporter/base.py
  • apiserver/plane/app/views/external/base.py
  • apiserver/plane/app/views/inbox/base.py
  • apiserver/plane/app/views/issue/activity.py
  • apiserver/plane/app/views/issue/attachment.py
  • apiserver/plane/app/views/issue/base.py
  • apiserver/plane/app/views/issue/comment.py
  • apiserver/plane/app/views/module/base.py
  • apiserver/plane/app/views/module/issue.py
  • apiserver/plane/app/views/page/base.py
  • apiserver/plane/app/views/project/member.py
  • apiserver/plane/app/views/view/base.py
Additional context used
Ruff
apiserver/plane/app/permissions/__init__.py

15-15: .base.allow_permission imported but unused; consider removing, adding to __all__, or using a redundant alias

(F401)

15-15: .base.ROLE imported but unused; consider removing, adding to __all__, or using a redundant alias

(F401)

GitHub Check: Codacy Static Code Analysis
apiserver/plane/app/permissions/__init__.py

[notice] 15-15: apiserver/plane/app/permissions/init.py#L15
'.base.allow_permission' imported but unused (F401)

Additional comments not posted (19)
apiserver/plane/app/views/issue/label.py (2)

46-46: Enhance security with allow_permission decorator.

The addition of the @allow_permission decorator to methods in LabelViewSet and BulkCreateIssueLabelsEndpoint improves security by enforcing role-based access control. Ensure that the roles specified align with the intended access policies.

Also applies to: 69-69, 76-76, 82-82

14-14: Verify the impact of permission class changes.

The shift from ProjectMemberPermission to ProjectBasePermission in LabelViewSet might affect access logic. Ensure that this change aligns with the intended permission model and doesn't inadvertently restrict or grant access.

apiserver/plane/app/views/workspace/favorite.py (1)

17-19: Improve flexibility with method-level permissions.

The use of the @allow_permission decorator at the method level enhances flexibility and readability by allowing specific permissions for each action. Verify that the roles and levels specified are consistent with the overall access control strategy.

Also applies to: 37-39, 52-54, 67-69, 80-82

apiserver/plane/app/views/estimate/base.py (2)

235-235: LGTM!

The access control for the destroy method is appropriately restricted to "ADMIN" and "MEMBER" roles.

31-31: Verify broader access permissions.

The get method now allows "VIEWER" role access. Ensure this aligns with the intended permission model for viewing estimate points.

apiserver/plane/app/views/notification/base.py (6)

197-199: LGTM!

The access control for the mark_read method is appropriately restricted to "ADMIN" and "MEMBER" roles.

209-211: LGTM!

The access control for the mark_unread method is appropriately restricted to "ADMIN" and "MEMBER" roles.

221-223: LGTM!

The access control for the archive method is appropriately restricted to "ADMIN" and "MEMBER" roles.

233-235: LGTM!

The access control for the unarchive method is appropriately restricted to "ADMIN" and "MEMBER" roles.

43-46: Verify broader access permissions.

The list method now allows "VIEWER" and "GUEST" roles access. Ensure this aligns with the intended permission model for listing notifications.

176-179: Verify broader access permissions.

The partial_update method now allows "VIEWER" and "GUEST" roles access. Ensure this aligns with the intended permission model for updating notifications.

apiserver/plane/app/views/project/base.py (8)

270-270: LGTM!

The access control for the create method is appropriately restricted to "ADMIN" and "MEMBER" roles.

400-400: LGTM!

The access control for the partial_update method is appropriately restricted to "ADMIN" and "MEMBER" roles.

482-482: LGTM!

The access control for the post method is appropriately restricted to "ADMIN" and "MEMBER" roles.

492-492: LGTM!

The access control for the delete method is appropriately restricted to "ADMIN" and "MEMBER" roles.

501-501: LGTM!

The access control for the get method is appropriately restricted to "ADMIN" and "MEMBER" roles.

520-520: LGTM!

The access control for the delete method is appropriately restricted to "ADMIN" and "MEMBER" roles.

156-159: Verify broader access permissions.

The list method now allows "VIEWER" and "GUEST" roles access. Ensure this aligns with the intended permission model for listing projects.

Verification successful

Broader access permissions verified.

The list method in ProjectViewSet allows broader access as intended by the allow_permission decorator. No additional permission modifications are present in the inherited BaseViewSet.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify if the broader access for the `list` method aligns with the intended permission model.

# Test: Search for all references to `list` in `ProjectViewSet`.
ast-grep --lang python --pattern $'class ProjectViewSet {
  $$$
  def list(self, $_, $_) {
    $$$
  }
  $$$
}'

Length of output: 457

Script:

#!/bin/bash
# Corrected search for the `list` method in the `ProjectViewSet` class using ast-grep with Python syntax.
ast-grep --lang python --pattern $'class ProjectViewSet:\n    $$$\n    def list(self, $_):\n        $$$\n    $$$'

Length of output: 110

Script:

#!/bin/bash
# Search for the `ProjectViewSet` class and list its methods using ripgrep.
rg -A 10 'class ProjectViewSet' --glob '*.py'

Length of output: 877

Script:

#!/bin/bash
# Search for the `BaseViewSet` class and its methods to check for a `list` method.
rg -A 10 'class BaseViewSet' --glob '*.py'

Length of output: 1259

Script:

#!/bin/bash
# Search for decorators applied to methods in `BaseViewSet` to check for permission-related decorators.
rg -A 5 '@' apiserver/plane/app/views/base.py

Length of output: 1146

195-198: Verify broader access permissions.

The retrieve method now allows "VIEWER" and "GUEST" roles access. Ensure this aligns with the intended permission model for retrieving projects.

apiserver/plane/app/views/estimate/base.py
ProjectEntityPermission,
]

@allow_permission([ROLE.ADMIN, ROLE.MEMBER])
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implement key validation in create method.

The TODO comment indicates missing key validation. Ensure that duplicate keys are handled to maintain data integrity.

Would you like assistance in implementing the key validation logic or opening a GitHub issue to track this task?

apiserver/plane/app/views/estimate/base.py
serializer = EstimatePointSerializer(estimate_point).data
return Response(serializer, status=status.HTTP_200_OK)

@allow_permission([ROLE.ADMIN, ROLE.MEMBER])
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implement key validation in partial_update method.

The TODO comment indicates missing key validation. Ensure that updates do not introduce duplicate keys.

Would you like assistance in implementing the key validation logic or opening a GitHub issue to track this task?

apiserver/plane/app/permissions/__init__.py
ProjectMemberPermission,
ProjectLitePermission,
)
from .base import allow_permission, ROLE No newline at end of file
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove unused imports allow_permission and ROLE.

The imports allow_permission and ROLE from .base are currently unused in this module. Consider removing them or adding them to __all__ if they're intended to be part of the module's public API.

- from .base import allow_permission, ROLE
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
from .base import allow_permission, ROLE
Tools
Ruff

15-15: .base.allow_permission imported but unused; consider removing, adding to __all__, or using a redundant alias

(F401)

15-15: .base.ROLE imported but unused; consider removing, adding to __all__, or using a redundant alias

(F401)

GitHub Check: Codacy Static Code Analysis

[notice] 15-15: apiserver/plane/app/permissions/init.py#L15
'.base.allow_permission' imported but unused (F401)

coderabbitai[bot]
coderabbitai bot reviewed Aug 16, 2024
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 05dc43e and a91e94a.

Files selected for processing (12)
  • apiserver/plane/app/views/cycle/base.py (13 hunks)
  • apiserver/plane/app/views/cycle/issue.py (7 hunks)
  • apiserver/plane/app/views/inbox/base.py (13 hunks)
  • apiserver/plane/app/views/issue/archive.py (6 hunks)
  • apiserver/plane/app/views/issue/attachment.py (3 hunks)
  • apiserver/plane/app/views/issue/base.py (12 hunks)
  • apiserver/plane/app/views/issue/comment.py (5 hunks)
  • apiserver/plane/app/views/module/base.py (10 hunks)
  • apiserver/plane/app/views/module/issue.py (6 hunks)
  • web/core/components/command-palette/command-palette.tsx (3 hunks)
  • web/core/components/workspace/sidebar/projects-list-item.tsx (6 hunks)
  • web/core/hooks/use-favorite-item-details.tsx (1 hunks)
Files skipped from review as they are similar to previous changes (10)
  • apiserver/plane/app/views/cycle/base.py
  • apiserver/plane/app/views/cycle/issue.py
  • apiserver/plane/app/views/inbox/base.py
  • apiserver/plane/app/views/issue/archive.py
  • apiserver/plane/app/views/issue/base.py
  • apiserver/plane/app/views/issue/comment.py
  • apiserver/plane/app/views/module/base.py
  • apiserver/plane/app/views/module/issue.py
  • web/core/components/command-palette/command-palette.tsx
  • web/core/hooks/use-favorite-item-details.tsx
Additional context used
Ruff
apiserver/plane/app/views/issue/attachment.py

25-25: Undefined name allow_permission

(F821)

25-25: Undefined name ROLE

(F821)

25-25: Undefined name ROLE

(F821)

25-25: Undefined name ROLE

(F821)

47-47: Undefined name allow_permission

(F821)

47-47: Undefined name ROLE

(F821)

66-66: Undefined name allow_permission

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

Biome
web/core/components/workspace/sidebar/projects-list-item.tsx

[error] 504-530: Missing key property for this element in iterable.

The order of the items may change, and having a key can help React identify which item was moved.
Check the React documentation.

(lint/correctness/useJsxKeyInIterable)

Additional comments not posted (10)
apiserver/plane/app/views/issue/attachment.py (6)

25-25: Ensure allow_permission and ROLE are defined.

The allow_permission decorator and ROLE constants must be correctly defined and imported for this code to function as expected.

Verification successful

Verification Successful: allow_permission and ROLE are correctly defined and imported.

The allow_permission decorator and ROLE constants are properly defined and imported in the codebase, ensuring that the permissions are managed as expected in the post method. No further issues were found related to these components.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the existence of `allow_permission` and `ROLE`.

# Test: Search for `allow_permission` and `ROLE` definitions. Expect: Definitions should exist.
rg --type python --fixed-strings 'allow_permission'
rg --type python --fixed-strings 'ROLE'

Length of output: 153

Script:

#!/bin/bash
# Description: Verify the existence of `allow_permission` and `ROLE`.

# Test: Search for `allow_permission` and `ROLE` definitions. Expect: Definitions should exist.
rg --type py --fixed-strings 'allow_permission'
rg --type py --fixed-strings 'ROLE'

Length of output: 30524

Tools
Ruff

25-25: Undefined name allow_permission

(F821)

25-25: Undefined name ROLE

(F821)

25-25: Undefined name ROLE

(F821)

25-25: Undefined name ROLE

(F821)

Line range hint 47-60:
LGTM! Verify the deletion logic.

The delete method logic is correct, but ensure that the deletion of issue_attachment and its asset is handled properly.

Verify that the deletion process is correctly implemented and doesn't leave orphaned assets.

Verification successful

Deletion Logic Verified: No Orphaned Assets

The deletion logic for issue_attachment and its asset is correctly implemented in both apiserver/plane/api/views/issue.py and apiserver/plane/app/views/issue/attachment.py. The asset is deleted before the issue_attachment, ensuring no orphaned assets remain.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify `issue_attachment` deletion logic.

# Test: Search for `issue_attachment` deletion logic. Expect: Proper handling of asset deletion.
rg --type python --context 5 'issue_attachment.delete'

Length of output: 85

Script:

#!/bin/bash
# Description: Verify `issue_attachment` deletion logic.

# Test: Search for `issue_attachment` deletion logic. Expect: Proper handling of asset deletion.
rg --type py --context 5 'issue_attachment.delete'

Length of output: 1956

Tools
Ruff

47-47: Undefined name allow_permission

(F821)

47-47: Undefined name ROLE

(F821)

66-66: Ensure allow_permission decorator is correctly applied.

The allow_permission decorator should be correctly applied to manage access for the get method.

Verification successful

allow_permission Decorator Correctly Applied

The allow_permission decorator is correctly applied to the get method in apiserver/plane/app/views/issue/attachment.py, managing permissions for roles ADMIN, MEMBER, GUEST, and VIEWER. No further issues found.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify `allow_permission` decorator application for the `get` method.

# Test: Search for `allow_permission` usage in the `get` method. Expect: Correct application.
rg --type python --fixed-strings 'allow_permission'

Length of output: 82

Script:

#!/bin/bash
# Description: Verify `allow_permission` decorator application for the `get` method.

# Test: Search for `allow_permission` usage in the codebase. Expect: Correct application.
rg 'allow_permission'

Length of output: 14267

Tools
Ruff

66-66: Undefined name allow_permission

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

47-47: Ensure allow_permission decorator is correctly configured.

The allow_permission decorator uses creator=True and model=IssueAttachment. Ensure these configurations are supported and correctly implemented.

Verification successful

allow_permission Decorator Configuration Verified

The allow_permission decorator is correctly configured to support creator=True and model=IssueAttachment. The function definition in apiserver/plane/app/permissions/base.py confirms support for these parameters. No issues found with the current implementation.

  • apiserver/plane/app/permissions/base.py: Function definition supports creator and model parameters.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify `allow_permission` decorator supports `creator=True` and `model=IssueAttachment`.

# Test: Search for `allow_permission` usage with `creator` and `model` arguments. Expect: Correct implementation.
rg --type python --fixed-strings 'allow_permission'

Length of output: 82

Script:

#!/bin/bash
# Description: Verify `allow_permission` decorator supports `creator=True` and `model=IssueAttachment`.

# Test: Search for `allow_permission` usage with `creator` and `model` arguments. Expect: Correct implementation.
rg --type py --fixed-strings 'allow_permission'

Length of output: 14293

Tools
Ruff

47-47: Undefined name allow_permission

(F821)

47-47: Undefined name ROLE

(F821)

Line range hint 66-72:
LGTM! Verify the query logic.

The get method logic is correct, but ensure that the query for issue_attachments is efficient and returns expected results.

Verify that the query correctly filters issue_attachments based on issue_id, workspace__slug, and project_id.

Verification successful

Query Logic Verified Successfully
The query logic for issue_attachments in the get method correctly filters based on issue_id, workspace__slug, and project_id. The logic is efficient and returns the expected results.

  • File: apiserver/plane/app/views/issue/attachment.py
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify `issue_attachments` query logic.

# Test: Search for `issue_attachments` query logic. Expect: Correct filtering based on `issue_id`, `workspace__slug`, and `project_id`.
rg --type python --context 5 'IssueAttachment.objects.filter'

Length of output: 92

Script:

#!/bin/bash
# Description: Verify `issue_attachments` query logic.

# Test: Search for `issue_attachments` query logic. Expect: Correct filtering based on `issue_id`, `workspace__slug`, and `project_id`.
rg --type py --context 5 'IssueAttachment.objects.filter'

Length of output: 18681

Tools
Ruff

66-66: Undefined name allow_permission

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

66-66: Undefined name ROLE

(F821)

Line range hint 25-41:
LGTM! Verify the serializer logic.

The post method logic is correct, but ensure that the IssueAttachmentSerializer handles project and issue IDs as expected.

Verify that the serializer correctly processes the project_id and issue_id.

Tools
Ruff

25-25: Undefined name allow_permission

(F821)

25-25: Undefined name ROLE

(F821)

25-25: Undefined name ROLE

(F821)

25-25: Undefined name ROLE

(F821)

web/core/components/workspace/sidebar/projects-list-item.tsx (4)

48-48: LGTM! The useUser hook is appropriately imported.

The import of useUser aligns with the PR objectives to manage user roles.

73-103: LGTM! Navigation items have appropriate access control.

The access property for navigation items is correctly applied to manage role-based visibility.

Line range hint 390-425:
LGTM! Conditional rendering of menu items is correctly implemented.

The render logic for menu items based on user roles is correctly applied.

504-530: Add a key property to iterable elements.

Each child in a list should have a unique "key" prop to help React identify which items have changed, are added, or removed.

Tools
Biome

[error] 504-530: Missing key property for this element in iterable.

The order of the items may change, and having a key can help React identify which item was moved.
Check the React documentation.

(lint/correctness/useJsxKeyInIterable)

@pushya22 pushya22 linked an issue Aug 16, 2024 that may be closed by this pull request
[bug]: Project member can't edit their view #5352
Closed
1 task
@pushya22 pushya22 merged commit 0a1c656 into preview Aug 16, 2024
@coderabbitai coderabbitai bot mentioned this pull request Oct 8, 2024
Closed
@coderabbitai coderabbitai bot mentioned this pull request Nov 26, 2024
Merged
@sriramveeraghanta sriramveeraghanta deleted the fix-user-role-permission branch May 2, 2025 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@gurusainath gurusainath gurusainath approved these changes

@pushya22 pushya22 pushya22 approved these changes

@sriramveeraghanta sriramveeraghanta Awaiting requested review from sriramveeraghanta

@pablohashescobar pablohashescobar Awaiting requested review from pablohashescobar

+1 more reviewer

@SatishGandham SatishGandham SatishGandham approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@anmolsinghbhatia anmolsinghbhatia

Labels

⚙️backend 🧹chore 🌐frontend 🌟improvement

Projects

None yet

Milestone

v0.23.0

Development

Successfully merging this pull request may close these issues.

[bug]: Project member can't edit their view

5 participants

@anmolsinghbhatia @SatishGandham @gurusainath @pushya22 @NarayanBavisetti