From 0f7849990a3733f01e6da5bf0aa378b821e57ab8 Mon Sep 17 00:00:00 2001 From: Piero Toffanin Date: Wed, 25 Jan 2023 10:32:53 -0500 Subject: [PATCH] Do not delete projects when delete request is initiated by non-owners --- app/api/projects.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/app/api/projects.py b/app/api/projects.py index 6673ad13..c86efeb9 100644 --- a/app/api/projects.py +++ b/app/api/projects.py @@ -136,3 +136,18 @@ class ProjectViewSet(viewsets.ModelViewSet): return Response({'error': _("Invalid permissions")}, status=status.HTTP_400_BAD_REQUEST) return Response({'success': True}, status=status.HTTP_200_OK) + + def destroy(self, request, pk=None): + project = get_and_check_project(request, pk, ('delete_project', )) + + # Owner? Delete the project + if project.owner == request.user: + return super().destroy(self, request, pk=pk) + else: + # Do not remove the project, simply remove all user's permissions to the project + # to avoid shared projects from being accidentally deleted + for p in ["add", "change", "delete", "view"]: + perm = p + "_project" + remove_perm(perm, request.user, project) + return Response(status=status.HTTP_204_NO_CONTENT) + \ No newline at end of file