diff --git a/apiserver/plane/app/views/project/base.py b/apiserver/plane/app/views/project/base.py index 7b027df9886..879d3ed3c9e 100644 --- a/apiserver/plane/app/views/project/base.py +++ b/apiserver/plane/app/views/project/base.py @@ -176,6 +176,10 @@ def list(self, request, slug): def retrieve(self, request, slug, pk): project = ( self.get_queryset() + .filter( + project_projectmember__member=self.request.user, + project_projectmember__is_active=True, + ) .filter(archived_at__isnull=True) .filter(pk=pk) .annotate( diff --git a/apiserver/plane/app/views/project/invite.py b/apiserver/plane/app/views/project/invite.py index af8c6084bd2..d36036b98fb 100644 --- a/apiserver/plane/app/views/project/invite.py +++ b/apiserver/plane/app/views/project/invite.py @@ -136,6 +136,12 @@ def create(self, request, slug): member=request.user, workspace__slug=slug, is_active=True ) + if workspace_member.role != ROLE.ADMIN: + return Response( + {"error": "You do not have permission to join the project"}, + status=status.HTTP_403_FORBIDDEN, + ) + workspace_role = workspace_member.role workspace = workspace_member.workspace diff --git a/web/core/layouts/auth-layout/project-wrapper.tsx b/web/core/layouts/auth-layout/project-wrapper.tsx index c5a812569b7..34df02e06b8 100644 --- a/web/core/layouts/auth-layout/project-wrapper.tsx +++ b/web/core/layouts/auth-layout/project-wrapper.tsx @@ -162,7 +162,7 @@ export const ProjectAuthWrapper: FC = observer((props) => { // check if the project info is not found. if (!loader && !projectExists && projectId && !!hasPermissionToCurrentProject === false) return ( -
+