chore: workspace admin access (#4138)

* chore: added access for workspace admin to edit project settings

* chore: workspace admin to update members details

* chore: workspace admin to label, state, workflow settings

* Revert "chore: added access for workspace admin to edit project settings"

This reverts commit 803b56514887339d884eaef170de8a9e4ecfda8c.

* chore: updated worspace admin access for projects

* Revert "chore: workspace admin to update members details"

This reverts commit ac465d618d7a89ef696db3484e515957b6b5e264.

* Revert "chore: workspace admin to label, state, workflow settings"

This reverts commit f01a89604e71792096cbae8e029cac160ea209fb.

* chore: workspace admin access in permission classes and decorator

* chore: check for teamspace members

* chore: refactor permission logic

* [WIKI-632] chore: accept additional props for document collaborative editor (#7718)

* chore: add collaborative document editor extended props

* fix: additional rich text extension props

* fix: formatting

* chore: add types to the trailing node extension

---------

Co-authored-by: Aaryan Khandelwal <[email protected]>

* [WEB-4854] chore: project admin accesss to workspace admins (#7749)

* chore: project admin accesss to workspace admins

* chore: frontend changes

* chore: remove console.log

* chore: refactor permission decorator

* chore: role enum

* chore: rearrange role_choices

* Potential fix for code scanning alert no. 636: URL redirection from remote source (#7760)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* [WEB-4441]fix: members account type dropdown position #7759

* [WEB-4857] fix: applied filters root update #7750

* [WEB-4858]chore: updated content for error page (#7766)

* chore: updated content for error page

* chore: updated btn url

* fix: merge conflicts

* fix: merge conflicts

* fix: use enum for roles

---------

Co-authored-by: vamsikrishnamathala <[email protected]>
Co-authored-by: Lakhan Baheti <[email protected]>
Co-authored-by: Aaryan Khandelwal <[email protected]>
Co-authored-by: sriram veeraghanta <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Vamsi Krishna <[email protected]>

Author: 6 people

apps/api/plane/app/permissions/base.py

@@ -52,14 +52,41 @@ def _wrapped_view(instance, request, *args, **kwargs):
                 ).exists():
                     return view_func(instance, request, *args, **kwargs)
             else:
-                if ProjectMember.objects.filter(
+                is_user_has_allowed_role = ProjectMember.objects.filter(
                     member=request.user,
                     workspace__slug=kwargs["slug"],
                     project_id=kwargs["project_id"],
                     role__in=allowed_role_values,
                     is_active=True,
-                ).exists():
+                ).exists()
+
+                #  Return if the user has allowed roles
+                if is_user_has_allowed_role:
                     return view_func(instance, request, *args, **kwargs)
+
+                #  Return if the user is workspace admin and is also part of the project or a teamspace member
+                if WorkspaceMember.objects.filter(
+                    member=request.user,
+                    workspace__slug=kwargs["slug"],
+                    role=ROLE.ADMIN.value,
+                    is_active=True,
+                ).exists():
+                    teamspace_ids = TeamspaceProject.objects.filter(
+                        workspace__slug=kwargs["slug"], project_id=kwargs["project_id"]
+                    ).values_list("team_space_id", flat=True)
+                    if (
+                        ProjectMember.objects.filter(
+                            member=request.user,
+                            workspace__slug=kwargs["slug"],
+                            project_id=kwargs["project_id"],
+                            is_active=True,
+                        ).exists()
+                        or TeamspaceMember.objects.filter(
+                            member=request.user, team_space_id__in=teamspace_ids
+                        ).exists()
+                    ):
+                        return view_func(instance, request, *args, **kwargs)
+
                 #
                 # Check if the user is member of the team space
                 # if scope is project further check if user is member of the team space

apps/api/plane/app/permissions/project.py

@@ -7,13 +7,7 @@
 from plane.ee.models import TeamspaceProject, TeamspaceMember
 from plane.payment.flags.flag_decorator import check_workspace_feature_flag
 from plane.payment.flags.flag import FeatureFlag
-
-
-# Permission Role Levels
-# These constants define the permission levels in the system
-Admin: int = 20  # Administrator level access
-Member: int = 15  # Regular member level access
-Guest: int = 5  # Guest/restricted level access
+from plane.db.models.project import ROLE
 
 
 def check_teamspace_membership(view, request: Request) -> bool:
@@ -75,18 +69,31 @@ def has_permission(self, request, view) -> bool:
             return WorkspaceMember.objects.filter(
                 workspace__slug=view.workspace_slug,
                 member=request.user,
-                role__in=[Admin, Member],
+                role__in=[ROLE.ADMIN.value, ROLE.MEMBER.value],
                 is_active=True,
             ).exists()
 
-        ## Only Project Admins can update project attributes
-        return ProjectMember.objects.filter(
+        project_member_qs = ProjectMember.objects.filter(
             workspace__slug=view.workspace_slug,
             member=request.user,
-            role=Admin,
             project_id=view.project_id,
             is_active=True,
-        ).exists()
+        )
+
+        ## Only project admins or workspace admin who is part of the project can access
+
+        if project_member_qs.filter(role=ROLE.ADMIN.value).exists():
+            return True
+        else:
+            return (
+                project_member_qs.exists()
+                and WorkspaceMember.objects.filter(
+                    member=request.user,
+                    workspace__slug=view.workspace_slug,
+                    role=ROLE.ADMIN.value,
+                    is_active=True,
+                ).exists()
+            )
 
 
 class ProjectMemberPermission(BasePermission):
@@ -112,15 +119,15 @@ def has_permission(self, request, view) -> bool:
             return WorkspaceMember.objects.filter(
                 workspace__slug=view.workspace_slug,
                 member=request.user,
-                role__in=[Admin, Member],
+                role__in=[ROLE.ADMIN.value, ROLE.MEMBER.value],
                 is_active=True,
             ).exists()
 
         ## Only Project Admins can update project attributes
         is_project_member = ProjectMember.objects.filter(
             workspace__slug=view.workspace_slug,
             member=request.user,
-            role__in=[Admin, Member],
+            role__in=[ROLE.ADMIN.value, ROLE.MEMBER.value],
             project_id=view.project_id,
             is_active=True,
         ).exists()
@@ -180,7 +187,7 @@ def has_permission(self, request, view) -> bool:
         is_project_member = ProjectMember.objects.filter(
             workspace__slug=view.workspace_slug,
             member=request.user,
-            role__in=[Admin, Member],
+            role__in=[ROLE.ADMIN.value, ROLE.MEMBER.value],
             project_id=view.project_id,
             is_active=True,
         ).exists()

apps/api/plane/app/views/project/base.py

@@ -5,14 +5,14 @@
 import uuid
 
 # Django imports
-from django.db import IntegrityError
 from django.db.models import Exists, F, OuterRef, Prefetch, Q, Subquery
 from django.core.serializers.json import DjangoJSONEncoder
+from django.db import IntegrityError
 
 
 # Third Party imports
 from rest_framework.response import Response
-from rest_framework import serializers, status
+from rest_framework import status
 from rest_framework.permissions import AllowAny
 
 # Module imports
@@ -229,7 +229,6 @@ def list_detail(self, request, slug):
                 project_projectmember__member=self.request.user,
                 project_projectmember__is_active=True,
             )
-
             teamspace_project_ids = self.get_teamspace_project_ids(request, slug)
             teamspace_projects = base_queryset.filter(pk__in=teamspace_project_ids)
 
@@ -306,7 +305,10 @@ def list(self, request, slug):
         )
 
         if WorkspaceMember.objects.filter(
-            member=request.user, workspace__slug=slug, is_active=True, role=5
+            member=request.user,
+            workspace__slug=slug,
+            is_active=True,
+            role=ROLE.GUEST.value,
         ).exists():
             # For role 5 (MEMBER): direct memberships + teamspace memberships
             direct_projects = base_queryset.filter(
@@ -320,7 +322,10 @@ def list(self, request, slug):
             projects = direct_projects.union(teamspace_projects)
 
         elif WorkspaceMember.objects.filter(
-            member=request.user, workspace__slug=slug, is_active=True, role=15
+            member=request.user,
+            workspace__slug=slug,
+            is_active=True,
+            role=ROLE.MEMBER.value,
         ).exists():
             # For role 15 (GUEST): direct memberships + public projects + teamspace memberships
             direct_projects = base_queryset.filter(
@@ -412,29 +417,31 @@ def create(self, request, slug):
             if serializer.is_valid():
                 serializer.save()
 
-                # Add the user as Administrator to the project
-                _ = ProjectMember.objects.create(
-                    project_id=serializer.data["id"], member=request.user, role=20
+            # Add the user as Administrator to the project
+            _ = ProjectMember.objects.create(
+                project_id=serializer.data["id"],
+                member=request.user,
+                role=ROLE.ADMIN.value,
+            )
+            # Also create the issue property for the user
+            _ = IssueUserProperty.objects.create(
+                project_id=serializer.data["id"], user=request.user
+            )
+
+            if serializer.data["project_lead"] is not None and str(
+                serializer.data["project_lead"]
+            ) != str(request.user.id):
+                ProjectMember.objects.create(
+                    project_id=serializer.data["id"],
+                    member_id=serializer.data["project_lead"],
+                    role=ROLE.ADMIN.value,
                 )
                 # Also create the issue property for the user
-                _ = IssueUserProperty.objects.create(
-                    project_id=serializer.data["id"], user=request.user
+                IssueUserProperty.objects.create(
+                    project_id=serializer.data["id"],
+                    user_id=serializer.data["project_lead"],
                 )
 
-                if serializer.data["project_lead"] is not None and str(
-                    serializer.data["project_lead"]
-                ) != str(request.user.id):
-                    ProjectMember.objects.create(
-                        project_id=serializer.data["id"],
-                        member_id=serializer.data["project_lead"],
-                        role=20,
-                    )
-                    # Also create the issue property for the user
-                    IssueUserProperty.objects.create(
-                        project_id=serializer.data["id"],
-                        user_id=serializer.data["project_lead"],
-                    )
-
                 # Default states
                 states = [
                     {
@@ -572,14 +579,23 @@ def create(self, request, slug):
             )
 
     def partial_update(self, request, slug, pk=None):
+        is_workspace_admin = WorkspaceMember.objects.filter(
+            member=request.user,
+            workspace__slug=slug,
+            is_active=True,
+            role=ROLE.ADMIN.value,
+        ).exists()
+
+        is_project_admin = ProjectMember.objects.filter(
+            member=request.user,
+            workspace__slug=slug,
+            project_id=pk,
+            role=ROLE.ADMIN.value,
+            is_active=True,
+        ).exists()
         try:
-            if not ProjectMember.objects.filter(
-                member=request.user,
-                workspace__slug=slug,
-                project_id=pk,
-                role=20,
-                is_active=True,
-            ).exists():
+            # Return error for if the user is neither workspace admin nor project admin
+            if not is_project_admin and not is_workspace_admin:
                 return Response(
                     {"error": "You don't have the required permissions."},
                     status=status.HTTP_403_FORBIDDEN,
@@ -633,7 +649,7 @@ def partial_update(self, request, slug, pk=None):
                             project_id=pk,
                             workspace_id=workspace.id,
                             member_id=api_token.user_id,
-                            role=20,
+                            role=ROLE.ADMIN.value,
                         )
 
                 # EE: project_grouping starts
@@ -750,13 +766,16 @@ def partial_update(self, request, slug, pk=None):
     def destroy(self, request, slug, pk):
         if (
             WorkspaceMember.objects.filter(
-                member=request.user, workspace__slug=slug, is_active=True, role=20
+                member=request.user,
+                workspace__slug=slug,
+                is_active=True,
+                role=ROLE.ADMIN.value,
             ).exists()
             or ProjectMember.objects.filter(
                 member=request.user,
                 workspace__slug=slug,
                 project_id=pk,
-                role=20,
+                role=ROLE.ADMIN.value,
                 is_active=True,
             ).exists()
         ):

apps/api/plane/db/models/project.py

@@ -23,6 +23,12 @@
 ROLE_CHOICES = ((20, "Admin"), (15, "Member"), (5, "Guest"))
 
 
+class ROLE(Enum):
+    ADMIN = 20
+    MEMBER = 15
+    GUEST = 5
+
+
 class ProjectNetwork(Enum):
     SECRET = 0
     PUBLIC = 2

apps/api/plane/utils/path_validator.py

@@ -3,18 +3,20 @@
 
 
 def validate_next_path(next_path: str) -> str:
-    """Validates that next_path is a valid path and extracts only the path component."""
+    """Validates that next_path is a safe relative path for redirection."""
+    # Browsers interpret backslashes as forward slashes. Remove all backslashes.
+    next_path = next_path.replace("\\", "")
     parsed_url = urlparse(next_path)
 
-    # Ensure next_path is not an absolute URL
+    # Block absolute URLs or anything with scheme/netloc
     if parsed_url.scheme or parsed_url.netloc:
         next_path = parsed_url.path  # Extract only the path component
 
-    # Ensure it starts with a forward slash (indicating a valid relative path)
-    if not next_path.startswith("/"):
+    # Must start with a forward slash and not be empty
+    if not next_path or not next_path.startswith("/"):
         return ""
 
-    # Ensure it does not contain dangerous path traversal sequences
+    # Prevent path traversal
     if ".." in next_path:
         return ""