[WEB-3551] fix: role improvements

apiserver/plane/api/serializers/cycle.py

@@ -1,4 +1,5 @@
 # Third party imports
+import pytz
 from rest_framework import serializers
 
 # Module imports
@@ -18,6 +19,14 @@ class CycleSerializer(BaseSerializer):
     completed_estimates = serializers.FloatField(read_only=True)
     started_estimates = serializers.FloatField(read_only=True)
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        project = self.context.get("project")
+        if project and project.timezone:
+            project_timezone = pytz.timezone(project.timezone)
+            self.fields["start_date"].timezone = project_timezone
+            self.fields["end_date"].timezone = project_timezone
+
     def validate(self, data):
         if (
             data.get("start_date", None) is not None

apiserver/plane/api/views/cycle.py

@@ -137,10 +137,12 @@ def get_queryset(self):
         )
 
     def get(self, request, slug, project_id, pk=None):
+        project = Project.objects.get(workspace__slug=slug, pk=project_id)
         if pk:
             queryset = self.get_queryset().filter(archived_at__isnull=True).get(pk=pk)
             data = CycleSerializer(
-                queryset, fields=self.fields, expand=self.expand
+                queryset, fields=self.fields,
+                expand=self.expand, context={"project": project}
             ).data
             return Response(data, status=status.HTTP_200_OK)
         queryset = self.get_queryset().filter(archived_at__isnull=True)
@@ -152,7 +154,8 @@ def get(self, request, slug, project_id, pk=None):
                 start_date__lte=timezone.now(), end_date__gte=timezone.now()
             )
             data = CycleSerializer(
-                queryset, many=True, fields=self.fields, expand=self.expand
+                queryset, many=True, fields=self.fields,
+                expand=self.expand, context={"project": project}
             ).data
             return Response(data, status=status.HTTP_200_OK)
 
@@ -163,7 +166,8 @@ def get(self, request, slug, project_id, pk=None):
                 request=request,
                 queryset=(queryset),
                 on_results=lambda cycles: CycleSerializer(
-                    cycles, many=True, fields=self.fields, expand=self.expand
+                    cycles, many=True, fields=self.fields,
+                    expand=self.expand, context={"project": project}
                 ).data,
             )
 
@@ -174,7 +178,8 @@ def get(self, request, slug, project_id, pk=None):
                 request=request,
                 queryset=(queryset),
                 on_results=lambda cycles: CycleSerializer(
-                    cycles, many=True, fields=self.fields, expand=self.expand
+                    cycles, many=True, fields=self.fields,
+                    expand=self.expand, context={"project": project}
                 ).data,
             )
 
@@ -185,7 +190,8 @@ def get(self, request, slug, project_id, pk=None):
                 request=request,
                 queryset=(queryset),
                 on_results=lambda cycles: CycleSerializer(
-                    cycles, many=True, fields=self.fields, expand=self.expand
+                    cycles, many=True, fields=self.fields,
+                    expand=self.expand, context={"project": project}
                 ).data,
             )
 
@@ -198,14 +204,16 @@ def get(self, request, slug, project_id, pk=None):
                 request=request,
                 queryset=(queryset),
                 on_results=lambda cycles: CycleSerializer(
-                    cycles, many=True, fields=self.fields, expand=self.expand
+                    cycles, many=True, fields=self.fields,
+                    expand=self.expand, context={"project": project}
                 ).data,
             )
         return self.paginate(
             request=request,
             queryset=(queryset),
             on_results=lambda cycles: CycleSerializer(
-                cycles, many=True, fields=self.fields, expand=self.expand
+                cycles, many=True, fields=self.fields,
+                expand=self.expand, context={"project": project}
             ).data,
         )
 

apiserver/plane/app/views/cycle/base.py

@@ -268,7 +268,7 @@ def list(self, request, slug, project_id):
         )
         datetime_fields = ["start_date", "end_date"]
         data = user_timezone_converter(
-            data, datetime_fields, request.user.user_timezone
+            data, datetime_fields, project_timezone
         )
         return Response(data, status=status.HTTP_200_OK)
 
@@ -318,9 +318,13 @@ def create(self, request, slug, project_id):
                     .first()
                 )
 
+                # Fetch the project timezone
+                project = Project.objects.get(id=self.kwargs.get("project_id"))
+                project_timezone = project.timezone
+
                 datetime_fields = ["start_date", "end_date"]
                 cycle = user_timezone_converter(
-                    cycle, datetime_fields, request.user.user_timezone
+                    cycle, datetime_fields, project_timezone
                 )
 
                 # Send the model activity
@@ -407,9 +411,13 @@ def partial_update(self, request, slug, project_id, pk):
                 "created_by",
             ).first()
 
+            # Fetch the project timezone
+            project = Project.objects.get(id=self.kwargs.get("project_id"))
+            project_timezone = project.timezone
+
             datetime_fields = ["start_date", "end_date"]
             cycle = user_timezone_converter(
-                cycle, datetime_fields, request.user.user_timezone
+                cycle, datetime_fields, project_timezone
             )
 
             # Send the model activity
@@ -480,10 +488,11 @@ def retrieve(self, request, slug, project_id, pk):
             )
 
         queryset = queryset.first()
+        # Fetch the project timezone
+        project = Project.objects.get(id=self.kwargs.get("project_id"))
+        project_timezone = project.timezone
         datetime_fields = ["start_date", "end_date"]
-        data = user_timezone_converter(
-            data, datetime_fields, request.user.user_timezone
-        )
+        data = user_timezone_converter(data, datetime_fields, project_timezone)
 
         recent_visited_task.delay(
             slug=slug,

apiserver/plane/app/views/project/member.py

@@ -10,11 +10,7 @@
     ProjectMemberRoleSerializer,
 )
 
-from plane.app.permissions import (
-    ProjectMemberPermission,
-    ProjectLitePermission,
-    WorkspaceUserPermission,
-)
+from plane.app.permissions import WorkspaceUserPermission
 
 from plane.db.models import Project, ProjectMember, IssueUserProperty, WorkspaceMember
 from plane.bgtasks.project_add_user_email_task import project_add_user_email
@@ -26,14 +22,6 @@ class ProjectMemberViewSet(BaseViewSet):
     serializer_class = ProjectMemberAdminSerializer
     model = ProjectMember
 
-    def get_permissions(self):
-        if self.action == "leave":
-            self.permission_classes = [ProjectLitePermission]
-        else:
-            self.permission_classes = [ProjectMemberPermission]
-
-        return super(ProjectMemberViewSet, self).get_permissions()
-
     search_fields = ["member__display_name", "member__first_name"]
 
     def get_queryset(self):
@@ -187,12 +175,20 @@ def list(self, request, slug, project_id):
         )
         return Response(serializer.data, status=status.HTTP_200_OK)
 
-    @allow_permission([ROLE.ADMIN])
+    @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST])
     def partial_update(self, request, slug, project_id, pk):
         project_member = ProjectMember.objects.get(
             pk=pk, workspace__slug=slug, project_id=project_id, is_active=True
         )
-        if request.user.id == project_member.member_id:
+
+        # Fetch the workspace role of the project member
+        workspace_role = WorkspaceMember.objects.get(
+            workspace__slug=slug, member=project_member.member, is_active=True
+        ).role
+        is_workspace_admin = workspace_role == ROLE.ADMIN.value
+
+        # Check if the user is not editing their own role if they are not an admin
+        if request.user.id == project_member.member_id and not is_workspace_admin:
             return Response(
                 {"error": "You cannot update your own role"},
                 status=status.HTTP_400_BAD_REQUEST,
@@ -205,9 +201,6 @@ def partial_update(self, request, slug, project_id, pk):
             is_active=True,
         )
 
-        workspace_role = WorkspaceMember.objects.get(
-            workspace__slug=slug, member=project_member.member, is_active=True
-        ).role
         if workspace_role in [5] and int(
             request.data.get("role", project_member.role)
         ) in [15, 20]:
@@ -222,6 +215,7 @@ def partial_update(self, request, slug, project_id, pk):
             "role" in request.data
             and int(request.data.get("role", project_member.role))
             > requested_project_member.role
+            and not is_workspace_admin
         ):
             return Response(
                 {"error": "You cannot update a role that is higher than your own role"},

apiserver/plane/app/views/workspace/member.py

@@ -68,10 +68,11 @@ def partial_update(self, request, slug, pk):
                 status=status.HTTP_400_BAD_REQUEST,
             )
 
-        if workspace_member.role > int(request.data.get("role")):
-            _ = ProjectMember.objects.filter(
+        # If a user is moved to a guest role he can't have any other role in projects
+        if "role" in request.data and int(request.data.get("role")) == 5:
+            ProjectMember.objects.filter(
                 workspace__slug=slug, member_id=workspace_member.member_id
-            ).update(role=int(request.data.get("role")))
+            ).update(role=5)
 
         serializer = WorkSpaceMemberSerializer(
             workspace_member, data=request.data, partial=True

packages/constants/src/workspace.ts

@@ -83,14 +83,14 @@ export const WORKSPACE_SETTINGS = {
     key: "general",
     i18n_label: "workspace_settings.settings.general.title",
     href: `/settings`,
-    access: [EUserWorkspaceRoles.ADMIN],
+    access: [EUserWorkspaceRoles.ADMIN, EUserWorkspaceRoles.MEMBER],
     highlight: (pathname: string, baseUrl: string) => pathname === `${baseUrl}/settings/`,
   },
   members: {
     key: "members",
     i18n_label: "workspace_settings.settings.members.title",
     href: `/settings/members`,
-    access: [EUserWorkspaceRoles.ADMIN],
+    access: [EUserWorkspaceRoles.ADMIN, EUserWorkspaceRoles.MEMBER],
     highlight: (pathname: string, baseUrl: string) => pathname === `${baseUrl}/settings/members/`,
   },
   "billing-and-plans": {
@@ -123,6 +123,10 @@ export const WORKSPACE_SETTINGS = {
   },
 };
 
+export const WORKSPACE_SETTINGS_ACCESS = Object.fromEntries(
+  Object.entries(WORKSPACE_SETTINGS).map(([_, { href, access }]) => [href, access])
+);
+
 export const WORKSPACE_SETTINGS_LINKS: {
   key: string;
   i18n_label: string;

web/app/[workspaceSlug]/(projects)/projects/(detail)/[projectId]/settings/(with-sidebar)/members/page.tsx

@@ -15,10 +15,12 @@ const MembersSettingsPage = observer(() => {
   const { workspaceUserInfo, allowPermissions } = useUserPermissions();
   // derived values
   const pageTitle = currentProjectDetails?.name ? `${currentProjectDetails?.name} - Members` : undefined;
-  const canPerformProjectMemberActions = allowPermissions(
+  const isProjectMemberOrAdmin = allowPermissions(
     [EUserPermissions.ADMIN, EUserPermissions.MEMBER],
     EUserPermissionsLevel.PROJECT
   );
+  const isWorkspaceAdmin = allowPermissions([EUserPermissions.ADMIN], EUserPermissionsLevel.WORKSPACE);
+  const canPerformProjectMemberActions = isProjectMemberOrAdmin || isWorkspaceAdmin;
 
   if (workspaceUserInfo && !canPerformProjectMemberActions) {
     return <NotAuthorizedView section="settings" isProjectView />;

web/app/[workspaceSlug]/(projects)/settings/(with-sidebar)/layout.tsx

@@ -3,7 +3,8 @@
 import { FC, ReactNode } from "react";
 import { observer } from "mobx-react";
 // components
-import { EUserPermissions, EUserPermissionsLevel } from "@plane/constants";
+import { useParams, usePathname } from "next/navigation";
+import { EUserWorkspaceRoles, WORKSPACE_SETTINGS_ACCESS } from "@plane/constants";
 import { NotAuthorizedView } from "@/components/auth-screens";
 import { AppHeader } from "@/components/core";
 // hooks
@@ -21,17 +22,26 @@ export interface IWorkspaceSettingLayout {
 const WorkspaceSettingLayout: FC<IWorkspaceSettingLayout> = observer((props) => {
   const { children } = props;
 
-  const { workspaceUserInfo, allowPermissions } = useUserPermissions();
+  const { workspaceUserInfo } = useUserPermissions();
+  const pathname = usePathname();
+  const { workspaceSlug } = useParams();
 
   // derived values
-  const isWorkspaceAdmin = allowPermissions([EUserPermissions.ADMIN], EUserPermissionsLevel.WORKSPACE);
+  const userWorkspaceRole = workspaceUserInfo?.[workspaceSlug.toString()]?.role;
+  const isAuthorized =
+    pathname &&
+    workspaceSlug &&
+    userWorkspaceRole &&
+    WORKSPACE_SETTINGS_ACCESS[pathname.replace(`/${workspaceSlug}`, "").slice(0, -1)]?.includes(
+      userWorkspaceRole as EUserWorkspaceRoles
+    );
 
   return (
     <>
       <AppHeader header={<WorkspaceSettingHeader />} />
       <MobileWorkspaceSettingsTabs />
       <div className="inset-y-0 flex flex-row vertical-scrollbar scrollbar-lg h-full w-full overflow-y-auto">
-        {workspaceUserInfo && !isWorkspaceAdmin ? (
+        {workspaceUserInfo && !isAuthorized ? (
           <NotAuthorizedView section="settings" />
         ) : (
           <>

web/ce/constants/project/settings/tabs.ts

@@ -18,7 +18,7 @@ export const PROJECT_SETTINGS = {
     key: "members",
     i18n_label: "members",
     href: `/settings/members`,
-    access: [EUserPermissions.ADMIN, EUserPermissions.MEMBER],
+    access: [EUserPermissions.ADMIN, EUserPermissions.MEMBER, EUserPermissions.GUEST],
     highlight: (pathname: string, baseUrl: string) => pathname === `${baseUrl}/settings/members/`,
     Icon: SettingIcon,
   },