Skip to content

Commit a4de486

Browse files
im-vipinim-vipin
authored
[WIKI-811] fix: ensure only non-deleted project pages are retrieved in page queries (#8182)
* fix: ensure soft delete handling for pages in PageViewSet methods * refactor: streamline query for project IDs in PageDuplicateEndpoint * refactor: remove soft delete condition from ProjectPage queries in PageViewSet and PageDuplicateEndpoint * refactor: simplify ProjectPage query in PageViewSet for improved readability * refactor: replace filter with get for Page queries in PageViewSet and PageDuplicateEndpoint to enhance clarity * refactor: replace filter with get for Page queries in PagesDescriptionViewSet to improve efficiency
1 parent 3c84e75 commit a4de486

File tree

1 file changed

+74
-21
lines changed
  • apps/api/plane/app/views/page

1 file changed

+74
-21
lines changed

apps/api/plane/app/views/page/base.py

Lines changed: 74 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -149,14 +149,24 @@ def create(self, request, slug, project_id):
149149

150150
def partial_update(self, request, slug, project_id, page_id):
151151
try:
152-
page = Page.objects.get(pk=page_id, workspace__slug=slug, projects__id=project_id)
152+
page = Page.objects.get(
153+
pk=page_id,
154+
workspace__slug=slug,
155+
projects__id=project_id,
156+
project_pages__deleted_at__isnull=True,
157+
)
153158

154159
if page.is_locked:
155160
return Response({"error": "Page is locked"}, status=status.HTTP_400_BAD_REQUEST)
156161

157162
parent = request.data.get("parent", None)
158163
if parent:
159-
_ = Page.objects.get(pk=parent, workspace__slug=slug, projects__id=project_id)
164+
_ = Page.objects.get(
165+
pk=parent,
166+
workspace__slug=slug,
167+
projects__id=project_id,
168+
project_pages__deleted_at__isnull=True,
169+
)
160170

161171
# Only update access if the page owner is the requesting user
162172
if page.access != request.data.get("access", page.access) and page.owned_by_id != request.user.id:
@@ -230,14 +240,24 @@ def retrieve(self, request, slug, project_id, page_id=None):
230240
return Response(data, status=status.HTTP_200_OK)
231241

232242
def lock(self, request, slug, project_id, page_id):
233-
page = Page.objects.filter(pk=page_id, workspace__slug=slug, projects__id=project_id).first()
243+
page = Page.objects.get(
244+
pk=page_id,
245+
workspace__slug=slug,
246+
projects__id=project_id,
247+
project_pages__deleted_at__isnull=True,
248+
)
234249

235250
page.is_locked = True
236251
page.save()
237252
return Response(status=status.HTTP_204_NO_CONTENT)
238253

239254
def unlock(self, request, slug, project_id, page_id):
240-
page = Page.objects.filter(pk=page_id, workspace__slug=slug, projects__id=project_id).first()
255+
page = Page.objects.get(
256+
pk=page_id,
257+
workspace__slug=slug,
258+
projects__id=project_id,
259+
project_pages__deleted_at__isnull=True,
260+
)
241261

242262
page.is_locked = False
243263
page.save()
@@ -246,7 +266,12 @@ def unlock(self, request, slug, project_id, page_id):
246266

247267
def access(self, request, slug, project_id, page_id):
248268
access = request.data.get("access", 0)
249-
page = Page.objects.filter(pk=page_id, workspace__slug=slug, projects__id=project_id).first()
269+
page = Page.objects.get(
270+
pk=page_id,
271+
workspace__slug=slug,
272+
projects__id=project_id,
273+
project_pages__deleted_at__isnull=True,
274+
)
250275

251276
# Only update access if the page owner is the requesting user
252277
if page.access != request.data.get("access", page.access) and page.owned_by_id != request.user.id:
@@ -277,7 +302,12 @@ def list(self, request, slug, project_id):
277302
return Response(pages, status=status.HTTP_200_OK)
278303

279304
def archive(self, request, slug, project_id, page_id):
280-
page = Page.objects.get(pk=page_id, workspace__slug=slug, projects__id=project_id)
305+
page = Page.objects.get(
306+
pk=page_id,
307+
workspace__slug=slug,
308+
projects__id=project_id,
309+
project_pages__deleted_at__isnull=True,
310+
)
281311

282312
# only the owner or admin can archive the page
283313
if (
@@ -303,7 +333,12 @@ def archive(self, request, slug, project_id, page_id):
303333
return Response({"archived_at": str(datetime.now())}, status=status.HTTP_200_OK)
304334

305335
def unarchive(self, request, slug, project_id, page_id):
306-
page = Page.objects.get(pk=page_id, workspace__slug=slug, projects__id=project_id)
336+
page = Page.objects.get(
337+
pk=page_id,
338+
workspace__slug=slug,
339+
projects__id=project_id,
340+
project_pages__deleted_at__isnull=True,
341+
)
307342

308343
# only the owner or admin can un archive the page
309344
if (
@@ -327,7 +362,12 @@ def unarchive(self, request, slug, project_id, page_id):
327362
return Response(status=status.HTTP_204_NO_CONTENT)
328363

329364
def destroy(self, request, slug, project_id, page_id):
330-
page = Page.objects.get(pk=page_id, workspace__slug=slug, projects__id=project_id)
365+
page = Page.objects.get(
366+
pk=page_id,
367+
workspace__slug=slug,
368+
projects__id=project_id,
369+
project_pages__deleted_at__isnull=True,
370+
)
331371

332372
if page.archived_at is None:
333373
return Response(
@@ -350,7 +390,12 @@ def destroy(self, request, slug, project_id, page_id):
350390
)
351391

352392
# remove parent from all the children
353-
_ = Page.objects.filter(parent_id=page_id, projects__id=project_id, workspace__slug=slug).update(parent=None)
393+
_ = Page.objects.filter(
394+
parent_id=page_id,
395+
projects__id=project_id,
396+
workspace__slug=slug,
397+
project_pages__deleted_at__isnull=True,
398+
).update(parent=None)
354399

355400
page.delete()
356401
# Delete the user favorite page
@@ -451,12 +496,14 @@ class PagesDescriptionViewSet(BaseViewSet):
451496

452497
def retrieve(self, request, slug, project_id, page_id):
453498
page = (
454-
Page.objects.filter(pk=page_id, workspace__slug=slug, projects__id=project_id)
455-
.filter(Q(owned_by=self.request.user) | Q(access=0))
456-
.first()
499+
Page.objects.get(
500+
Q(owned_by=self.request.user) | Q(access=0),
501+
pk=page_id,
502+
workspace__slug=slug,
503+
projects__id=project_id,
504+
project_pages__deleted_at__isnull=True,
505+
)
457506
)
458-
if page is None:
459-
return Response({"error": "Page not found"}, status=404)
460507
binary_data = page.description_binary
461508

462509
def stream_data():
@@ -471,14 +518,15 @@ def stream_data():
471518

472519
def partial_update(self, request, slug, project_id, page_id):
473520
page = (
474-
Page.objects.filter(pk=page_id, workspace__slug=slug, projects__id=project_id)
475-
.filter(Q(owned_by=self.request.user) | Q(access=0))
476-
.first()
521+
Page.objects.get(
522+
Q(owned_by=self.request.user) | Q(access=0),
523+
pk=page_id,
524+
workspace__slug=slug,
525+
projects__id=project_id,
526+
project_pages__deleted_at__isnull=True,
527+
)
477528
)
478529

479-
if page is None:
480-
return Response({"error": "Page not found"}, status=404)
481-
482530
if page.is_locked:
483531
return Response(
484532
{
@@ -529,7 +577,12 @@ class PageDuplicateEndpoint(BaseAPIView):
529577
permission_classes = [ProjectPagePermission]
530578

531579
def post(self, request, slug, project_id, page_id):
532-
page = Page.objects.filter(pk=page_id, workspace__slug=slug, projects__id=project_id).first()
580+
page = Page.objects.get(
581+
pk=page_id,
582+
workspace__slug=slug,
583+
projects__id=project_id,
584+
project_pages__deleted_at__isnull=True,
585+
)
533586

534587
# check for permission
535588
if page.access == Page.PRIVATE_ACCESS and page.owned_by_id != request.user.id:

0 commit comments

Comments
 (0)