diff --git a/backend/organizations/decorators.py b/backend/organizations/decorators.py index 8469ccc72..fc35a4459 100644 --- a/backend/organizations/decorators.py +++ b/backend/organizations/decorators.py @@ -3,6 +3,8 @@ from .models import Organization from functools import wraps from django.http import HttpResponse +from workspaces.models import Workspace + PERMISSION_ERROR = { "message": "You do not have enough permissions to access this view!" @@ -57,3 +59,39 @@ def wrapper(self, request, *args, **kwargs): return Response("Permission Denied", status=403) return wrapper + + +def is_permitted(f): + @wraps(f) + def wrapper(self, request, *args, **kwargs): + if "organization" not in request.data or "workspace" not in request.data: + return Response( + { + "message": "Please send the complete request data for organization and workspace" + }, + status=403, + ) + organization = Organization.objects.get(id=request.data["organization"]) + workspace = Workspace.objects.get(id=request.data["workspace"]) + if Organization.objects.filter( + id=request.user.organization.id + ) != Organization.objects.filter(id=int(organization)): + return Response(NO_ORGANIZATION_OWNER_ERROR, status=403) + if workspace.organization != request.user.organization: + Response(NO_ORGANIZATION_OWNER_ERROR, status=403) + org_permissions = Organization.objects.filter( + id=request.user.organization.id + ).permission_json + requested_permission = request.data.get("requested_permission") + allowed_roles = org_permissions.get(requested_permission, 0) + if not allowed_roles: + return Response({"message": "Requested Permission is invalid"}, status=403) + for a in allowed_roles: + if (a == "org_owner" and request.user.role != User.ORGANIZATION_OWNER) or ( + a == "workspace_manager" and request.user not in workspace.managers + ): + return Response({"message": "Access Denied"}, status=403) + return f(self, request, *args, **kwargs) + return Response(PERMISSION_ERROR, status=403) + + return wrapper