makeplane · pushya22 · Sep 18, 2025 · Sep 16, 2025 · Sep 16, 2025 · Sep 16, 2025
diff --git a/apps/api/plane/app/views/cycle/base.py b/apps/api/plane/app/views/cycle/base.py
@@ -504,19 +504,6 @@ def retrieve(self, request, slug, project_id, pk):
     @allow_permission([ROLE.ADMIN], creator=True, model=Cycle)
     def destroy(self, request, slug, project_id, pk):
         cycle = Cycle.objects.get(workspace__slug=slug, project_id=project_id, pk=pk)
-        if cycle.owned_by_id != request.user.id and not (
-            ProjectMember.objects.filter(
-                workspace__slug=slug,
-                member=request.user,
-                role=20,
-                project_id=project_id,
-                is_active=True,
-            ).exists()
-        ):
-            return Response(
-                {"error": "Only admin or owner can delete the cycle"},
-                status=status.HTTP_403_FORBIDDEN,
-            )
 
         cycle_issues = list(
             CycleIssue.objects.filter(cycle_id=self.kwargs.get("pk")).values_list(

diff --git a/apps/api/plane/app/views/intake/base.py b/apps/api/plane/app/views/intake/base.py
@@ -28,6 +28,7 @@
     ProjectMember,
     CycleIssue,
     IssueDescriptionVersion,
+    WorkspaceMember,
 )
 from plane.app.serializers import (
     IssueCreateSerializer,
@@ -348,17 +349,32 @@ def partial_update(self, request, slug, project_id, pk):
             project_id=project_id,
             intake_id=intake_id,
         )
-        # Get the project member
-        project_member = ProjectMember.objects.get(
+
+        project_member = ProjectMember.objects.filter(
             workspace__slug=slug,
             project_id=project_id,
             member=request.user,
             is_active=True,
-        )
+        ).first()
+
+        is_workspace_admin = WorkspaceMember.objects.filter(
+            workspace__slug=slug,
+            is_active=True,
+            member=request.user,
+            role=ROLE.ADMIN.value,
+        ).exists()
+
+        if not project_member and not is_workspace_admin:
+            return Response(
+                {"error": "Only admin or creator can update the intake work items"},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+
         # Only project members admins and created_by users can access this endpoint
-        if project_member.role <= 5 and str(intake_issue.created_by_id) != str(
-            request.user.id
-        ):
+        if (
+            (project_member and project_member.role <= ROLE.GUEST.value)
+            and not is_workspace_admin
+        ) and str(intake_issue.created_by_id) != str(request.user.id):
-        if (
-            (project_member and project_member.role <= ROLE.GUEST.value)
-            and not is_workspace_admin
-        ) and str(intake_issue.created_by_id) != str(request.user.id):
+        if not self.can_edit_intake_issue(project_member, is_workspace_admin, intake_issue, request):
-        if (
-            (project_member and project_member.role <= ROLE.GUEST.value)
-            and not is_workspace_admin
-        ) and str(intake_issue.created_by_id) != str(request.user.id):
+        if not self.can_edit_intake_issue(project_member, is_workspace_admin, intake_issue, request):
             return Response(
                 {"error": "You cannot edit intake issues"},
                 status=status.HTTP_400_BAD_REQUEST,
@@ -391,15 +407,16 @@ def partial_update(self, request, slug, project_id, pk):
                     Value([], output_field=ArrayField(UUIDField())),
                 ),
             ).get(pk=intake_issue.issue_id, workspace__slug=slug, project_id=project_id)
-            # Only allow guests to edit name and description
-            if project_member.role <= 5:
+
+            if project_member and project_member.role <= ROLE.GUEST.value:
                 issue_data = {
                     "name": issue_data.get("name", issue.name),
                     "description_html": issue_data.get(
                         "description_html", issue.description_html
                     ),
                     "description": issue_data.get("description", issue.description),
                 }
+
             current_instance = json.dumps(
                 IssueDetailSerializer(issue).data, cls=DjangoJSONEncoder
             )
@@ -436,8 +453,10 @@ def partial_update(self, request, slug, project_id, pk):
                     issue_serializer.errors, status=status.HTTP_400_BAD_REQUEST
                 )
 
-        # Only project admins and members can edit intake issue attributes
-        if project_member.role > 15:
+        # Only project admins can edit intake issue attributes
+        if (
+            project_member and project_member.role > ROLE.MEMBER.value
+        ) or is_workspace_admin:
             serializer = IntakeIssueSerializer(
                 intake_issue, data=request.data, partial=True
             )