[WEB-2126] chore: guest and viewer role permission

apiserver/plane/app/permissions/__init__.py

@@ -12,3 +12,4 @@
     ProjectMemberPermission,
     ProjectLitePermission,
 )
+from .base import allow_permission, ROLE

apiserver/plane/app/permissions/base.py

@@ -0,0 +1,61 @@
+from plane.db.models import WorkspaceMember, ProjectMember
+from functools import wraps
+from rest_framework.response import Response
+from rest_framework import status
+
+from enum import Enum
+
+class ROLE(Enum):
+    ADMIN = 20
+    MEMBER = 15
+    VIEWER = 10
+    GUEST = 5
+
+
+def allow_permission(allowed_roles, level="PROJECT", creator=False, model=None):
+    def decorator(view_func):
+        @wraps(view_func)
+        def _wrapped_view(instance, request, *args, **kwargs):
+
+            # Check for creator if required
+            if creator and model:
+                obj = model.objects.filter(
+                    id=kwargs["pk"], created_by=request.user
+                ).exists()
+                if obj:
+                    return view_func(instance, request, *args, **kwargs)
+
+            # Convert allowed_roles to their values if they are enum members
+            allowed_role_values = [
+                role.value if isinstance(role, ROLE) else role
+                for role in allowed_roles
+            ]
+
+            # Check role permissions
+            if level == "WORKSPACE":
+                if WorkspaceMember.objects.filter(
+                    member=request.user,
+                    workspace__slug=kwargs["slug"],
+                    role__in=allowed_role_values,
+                    is_active=True,
+                ).exists():
+                    return view_func(instance, request, *args, **kwargs)
+            else:
+                if ProjectMember.objects.filter(
+                    member=request.user,
+                    workspace__slug=kwargs["slug"],
+                    project_id=kwargs["project_id"],
+                    role__in=allowed_role_values,
+                    is_active=True,
+                ).exists():
+                    return view_func(instance, request, *args, **kwargs)
+
+            # Return permission denied if no conditions are met
+            return Response(
+                {"error": "You don't have the required permissions."},
+                status=status.HTTP_401_UNAUTHORIZED,
+            )
+
+        return _wrapped_view
+
+    return decorator

apiserver/plane/app/urls/inbox.py

@@ -40,7 +40,7 @@
         name="inbox-issue",
     ),
     path(
-        "workspaces/<str:slug>/projects/<uuid:project_id>/inbox-issues/<uuid:issue_id>/",
+        "workspaces/<str:slug>/projects/<uuid:project_id>/inbox-issues/<uuid:pk>/",
         InboxIssueViewSet.as_view(
             {
                 "get": "retrieve",

apiserver/plane/app/views/analytic/base.py

@@ -7,22 +7,22 @@
 from rest_framework import status
 from rest_framework.response import Response
 
+# Module imports
 from plane.app.permissions import WorkSpaceAdminPermission
 from plane.app.serializers import AnalyticViewSerializer
-
-# Module imports
 from plane.app.views.base import BaseAPIView, BaseViewSet
 from plane.bgtasks.analytic_plot_export import analytic_export_task
 from plane.db.models import AnalyticView, Issue, Workspace
 from plane.utils.analytics_plot import build_graph_plot
 from plane.utils.issue_filters import issue_filters
+from plane.app.permissions import allow_permission, ROLE
 
 
 class AnalyticsEndpoint(BaseAPIView):
-    permission_classes = [
-        WorkSpaceAdminPermission,
-    ]
 
+    @allow_permission(
+        [ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER], level="WORKSPACE"
+    )
     def get(self, request, slug):
         x_axis = request.GET.get("x_axis", False)
         y_axis = request.GET.get("y_axis", False)
@@ -201,10 +201,10 @@ def get_queryset(self):
 
 
 class SavedAnalyticEndpoint(BaseAPIView):
-    permission_classes = [
-        WorkSpaceAdminPermission,
-    ]
 
+    @allow_permission(
+        [ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER], level="WORKSPACE"
+    )
     def get(self, request, slug, analytic_id):
         analytic_view = AnalyticView.objects.get(
             pk=analytic_id, workspace__slug=slug
@@ -234,10 +234,10 @@ def get(self, request, slug, analytic_id):
 
 
 class ExportAnalyticsEndpoint(BaseAPIView):
-    permission_classes = [
-        WorkSpaceAdminPermission,
-    ]
 
+    @allow_permission(
+        [ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER], level="WORKSPACE"
+    )
     def post(self, request, slug):
         x_axis = request.data.get("x_axis", False)
         y_axis = request.data.get("y_axis", False)
@@ -301,10 +301,10 @@ def post(self, request, slug):
 
 
 class DefaultAnalyticsEndpoint(BaseAPIView):
-    permission_classes = [
-        WorkSpaceAdminPermission,
-    ]
 
+    @allow_permission(
+        [ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER, ROLE.GUEST], level="WORKSPACE"
+    )
     def get(self, request, slug):
         filters = issue_filters(request.GET, "GET")
         base_issues = Issue.issue_objects.filter(
@@ -380,12 +380,10 @@ def get(self, request, slug):
             .order_by("-count")
         )
 
-        open_estimate_sum = open_issues_queryset.aggregate(
-            sum=Sum("point")
-        )["sum"]
-        total_estimate_sum = base_issues.aggregate(sum=Sum("point"))[
+        open_estimate_sum = open_issues_queryset.aggregate(sum=Sum("point"))[
             "sum"
         ]
+        total_estimate_sum = base_issues.aggregate(sum=Sum("point"))["sum"]
 
         return Response(
             {

apiserver/plane/app/views/cycle/archive.py

@@ -24,7 +24,7 @@
 # Third party imports
 from rest_framework import status
 from rest_framework.response import Response
-from plane.app.permissions import ProjectEntityPermission
+from plane.app.permissions import allow_permission, ROLE
 from plane.db.models import Cycle, UserFavorite, Issue, Label, User, Project
 from plane.utils.analytics_plot import burndown_plot
 
@@ -34,10 +34,6 @@
 
 class CycleArchiveUnarchiveEndpoint(BaseAPIView):
 
-    permission_classes = [
-        ProjectEntityPermission,
-    ]
-
     def get_queryset(self):
         favorite_subquery = UserFavorite.objects.filter(
             user=self.request.user,
@@ -292,6 +288,7 @@ def get_queryset(self):
             .distinct()
         )
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER])
     def get(self, request, slug, project_id, pk=None):
         if pk is None:
             queryset = (
@@ -596,6 +593,7 @@ def get(self, request, slug, project_id, pk=None):
                 status=status.HTTP_200_OK,
             )
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def post(self, request, slug, project_id, cycle_id):
         cycle = Cycle.objects.get(
             pk=cycle_id, project_id=project_id, workspace__slug=slug
@@ -614,6 +612,7 @@ def post(self, request, slug, project_id, cycle_id):
             status=status.HTTP_200_OK,
         )
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def delete(self, request, slug, project_id, cycle_id):
         cycle = Cycle.objects.get(
             pk=cycle_id, project_id=project_id, workspace__slug=slug

apiserver/plane/app/views/cycle/base.py

@@ -29,8 +29,7 @@
 from rest_framework import status
 from rest_framework.response import Response
 from plane.app.permissions import (
-    ProjectEntityPermission,
-    ProjectLitePermission,
+    allow_permission, ROLE
 )
 from plane.app.serializers import (
     CycleSerializer,
@@ -60,15 +59,6 @@ class CycleViewSet(BaseViewSet):
     serializer_class = CycleSerializer
     model = Cycle
     webhook_event = "cycle"
-    permission_classes = [
-        ProjectEntityPermission,
-    ]
-
-    def perform_create(self, serializer):
-        serializer.save(
-            project_id=self.kwargs.get("project_id"),
-            owned_by=self.request.user,
-        )
 
     def get_queryset(self):
         favorite_subquery = UserFavorite.objects.filter(
@@ -325,6 +315,7 @@ def get_queryset(self):
             .distinct()
         )
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER, ROLE.GUEST])
     def list(self, request, slug, project_id):
         queryset = self.get_queryset().filter(archived_at__isnull=True)
         cycle_view = request.GET.get("cycle_view", "all")
@@ -611,6 +602,7 @@ def list(self, request, slug, project_id):
         )
         return Response(data, status=status.HTTP_200_OK)
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def create(self, request, slug, project_id):
         if (
             request.data.get("start_date", None) is None
@@ -684,6 +676,7 @@ def create(self, request, slug, project_id):
                 status=status.HTTP_400_BAD_REQUEST,
             )
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def partial_update(self, request, slug, project_id, pk):
         queryset = self.get_queryset().filter(
             workspace__slug=slug, project_id=project_id, pk=pk
@@ -771,6 +764,7 @@ def partial_update(self, request, slug, project_id, pk):
             return Response(cycle, status=status.HTTP_200_OK)
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER])
     def retrieve(self, request, slug, project_id, pk):
         queryset = (
             self.get_queryset().filter(archived_at__isnull=True).filter(pk=pk)
@@ -1039,6 +1033,7 @@ def retrieve(self, request, slug, project_id, pk):
             status=status.HTTP_200_OK,
         )
 
+    @allow_permission([ROLE.ADMIN], creator=True, model=Cycle)
     def destroy(self, request, slug, project_id, pk):
         cycle = Cycle.objects.get(
             workspace__slug=slug, project_id=project_id, pk=pk
@@ -1097,10 +1092,8 @@ def destroy(self, request, slug, project_id, pk):
 
 
 class CycleDateCheckEndpoint(BaseAPIView):
-    permission_classes = [
-        ProjectEntityPermission,
-    ]
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def post(self, request, slug, project_id):
         start_date = request.data.get("start_date", False)
         end_date = request.data.get("end_date", False)
@@ -1144,6 +1137,7 @@ def get_queryset(self):
             .select_related("cycle", "cycle__owned_by")
         )
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def create(self, request, slug, project_id):
         _ = UserFavorite.objects.create(
             project_id=project_id,
@@ -1153,6 +1147,7 @@ def create(self, request, slug, project_id):
         )
         return Response(status=status.HTTP_204_NO_CONTENT)
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def destroy(self, request, slug, project_id, cycle_id):
         cycle_favorite = UserFavorite.objects.get(
             project=project_id,
@@ -1166,10 +1161,8 @@ def destroy(self, request, slug, project_id, cycle_id):
 
 
 class TransferCycleIssueEndpoint(BaseAPIView):
-    permission_classes = [
-        ProjectEntityPermission,
-    ]
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def post(self, request, slug, project_id, cycle_id):
         new_cycle_id = request.data.get("new_cycle_id", False)
 
@@ -1579,10 +1572,8 @@ def post(self, request, slug, project_id, cycle_id):
 
 
 class CycleUserPropertiesEndpoint(BaseAPIView):
-    permission_classes = [
-        ProjectLitePermission,
-    ]
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER, ROLE.GUEST])
     def patch(self, request, slug, project_id, cycle_id):
         cycle_properties = CycleUserProperties.objects.get(
             user=request.user,
@@ -1605,6 +1596,7 @@ def patch(self, request, slug, project_id, cycle_id):
         serializer = CycleUserPropertiesSerializer(cycle_properties)
         return Response(serializer.data, status=status.HTTP_201_CREATED)
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER, ROLE.GUEST])
     def get(self, request, slug, project_id, cycle_id):
         cycle_properties, _ = CycleUserProperties.objects.get_or_create(
             user=request.user,

apiserver/plane/app/views/cycle/issue.py

@@ -3,12 +3,7 @@
 
 # Django imports
 from django.core import serializers
-from django.db.models import (
-    F,
-    Func,
-    OuterRef,
-    Q,
-)
+from django.db.models import F, Func, OuterRef, Q
 from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.views.decorators.gzip import gzip_page
@@ -17,10 +12,6 @@
 from rest_framework import status
 from rest_framework.response import Response
 
-from plane.app.permissions import (
-    ProjectEntityPermission,
-)
-
 # Module imports
 from .. import BaseViewSet
 from plane.app.serializers import (
@@ -45,6 +36,7 @@
     GroupedOffsetPaginator,
     SubGroupedOffsetPaginator,
 )
+from plane.app.permissions import allow_permission, ROLE
 
 
 class CycleIssueViewSet(BaseViewSet):
@@ -54,10 +46,6 @@ class CycleIssueViewSet(BaseViewSet):
     webhook_event = "cycle_issue"
     bulk = True
 
-    permission_classes = [
-        ProjectEntityPermission,
-    ]
-
     filterset_fields = [
         "issue__labels__id",
         "issue__assignees__id",
@@ -92,6 +80,7 @@ def get_queryset(self):
         )
 
     @method_decorator(gzip_page)
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.VIEWER])
     def list(self, request, slug, project_id, cycle_id):
         order_by_param = request.GET.get("order_by", "created_at")
         filters = issue_filters(request.query_params, "GET")
@@ -238,6 +227,7 @@ def list(self, request, slug, project_id, cycle_id):
                 ),
             )
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def create(self, request, slug, project_id, cycle_id):
         issues = request.data.get("issues", [])
 
@@ -333,6 +323,7 @@ def create(self, request, slug, project_id, cycle_id):
         )
         return Response({"message": "success"}, status=status.HTTP_201_CREATED)
 
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER])
     def destroy(self, request, slug, project_id, cycle_id, issue_id):
         cycle_issue = CycleIssue.objects.filter(
             issue_id=issue_id,