chore: project admin accesss to workspace admins

Author: sangeethailango

apps/api/plane/app/permissions/base.py

@@ -39,13 +39,31 @@ def _wrapped_view(instance, request, *args, **kwargs):
                 ).exists():
                     return view_func(instance, request, *args, **kwargs)
             else:
-                if ProjectMember.objects.filter(
+                is_user_has_allowed_role = ProjectMember.objects.filter(
                     member=request.user,
                     workspace__slug=kwargs["slug"],
                     project_id=kwargs["project_id"],
                     role__in=allowed_role_values,
                     is_active=True,
-                ).exists():
+                ).exists()
+
+                is_user_part_of_project = ProjectMember.objects.filter(
+                    member=request.user,
+                    workspace__slug=kwargs["slug"],
+                    project_id=kwargs["project_id"],
+                    is_active=True,
+                ).exists()
+
+                is_user_workspace_admin = WorkspaceMember.objects.filter(
+                    member=request.user,
+                    workspace__slug=kwargs["slug"],
+                    role=ROLE.ADMIN.value,
+                    is_active=True,
+                ).exists()
+
+                if is_user_has_allowed_role:
+                    return view_func(instance, request, *args, **kwargs)
+                elif is_user_part_of_project and is_user_workspace_admin:
                     return view_func(instance, request, *args, **kwargs)
 
             # Return permission denied if no conditions are met

apps/api/plane/app/permissions/project.py

@@ -30,15 +30,31 @@ def has_permission(self, request, view):
                 is_active=True,
             ).exists()
 
-        ## Only Project Admins can update project attributes
-        return ProjectMember.objects.filter(
+        is_project_admin = ProjectMember.objects.filter(
             workspace__slug=view.workspace_slug,
             member=request.user,
             role=Admin,
             project_id=view.project_id,
             is_active=True,
         ).exists()
 
+        is_project_member = ProjectMember.objects.filter(
+            workspace__slug=view.workspace_slug,
+            member=request.user,
+            project_id=view.project_id,
+            is_active=True,
+        ).exists()
+
+        is_user_workspace_admin = WorkspaceMember.objects.filter(
+            member=request.user,
+            workspace__slug=view.workspace_slug,
+            role=Admin,
+            is_active=True,
+        ).exists()
+
+        ## Only project admins or workspace admin who is part of the project can access
+        return is_project_admin or (is_project_member and is_user_workspace_admin)
+
 
 class ProjectMemberPermission(BasePermission):
     def has_permission(self, request, view):

apps/api/plane/app/views/project/base.py

@@ -5,13 +5,12 @@
 import json
 
 # Django imports
-from django.db import IntegrityError
 from django.db.models import Exists, F, OuterRef, Prefetch, Q, Subquery
 from django.core.serializers.json import DjangoJSONEncoder
 
 # Third Party imports
 from rest_framework.response import Response
-from rest_framework import serializers, status
+from rest_framework import status
 from rest_framework.permissions import AllowAny
 
 # Module imports
@@ -341,13 +340,20 @@ def create(self, request, slug):
 
     def partial_update(self, request, slug, pk=None):
         # try:
-        if not ProjectMember.objects.filter(
+        is_workspace_admin = WorkspaceMember.objects.filter(
+            member=request.user, workspace__slug=slug, is_active=True, role=20
+        ).exists()
+
+        is_project_admin = ProjectMember.objects.filter(
             member=request.user,
             workspace__slug=slug,
             project_id=pk,
             role=20,
             is_active=True,
-        ).exists():
+        ).exists()
+
+        # Return error for if the user is neither workspace admin nor project admin
+        if not is_project_admin and not is_workspace_admin:
             return Response(
                 {"error": "You don't have the required permissions."},
                 status=status.HTTP_403_FORBIDDEN,