[WEB-2443] fix: project intake edit permission

[anmolsinghbhatia]

Changes:

This PR resolves the project intake permission issue, where a guest was unable to edit their own issue.

Reference:

[WEB-2443]

Summary by CodeRabbit

• New Features

  • Enhanced user permissions and visibility controls for inbox issues based on project membership and guest access.
  • Introduced a new user invitation logic, allowing only admins to create project invitations and ensuring invited users have the correct roles.

• Improvements

  • Updated the inbox component to better manage user-specific permissions and editing capabilities, particularly for guest users.

• Bug Fixes

  • Improved role validation for invited users to prevent mismatched roles from being assigned.

[coderabbitai]

Warning

Rate limit exceeded

@anmolsinghbhatia has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 12 minutes and 41 seconds before requesting another review.

How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Commits

Files that changed from the base of the PR and between 0ba67cf and 2a35e5e.

Walkthrough

The changes enhance user permissions and visibility controls in the inbox and project invitation functionalities. Modifications in the InboxView class improve filtering of inbox issues based on user roles and project settings, while the ProjectInvitationsViewset class updates the invitation logic to enforce stricter role validation. Additionally, the InboxContentRoot component introduces user-specific permissions management, allowing for better handling of editing capabilities based on user roles, including guests.

Changes

File Path	Change Summary
apiserver/plane/app/views/inbox/base.py	Enhanced user permissions logic in InboxView for listing and retrieving inbox issues based on project membership and guest access settings.
apiserver/plane/app/views/project/invite.py	Modified ProjectInvitationsViewset to use a new decorator for admin-only invitations and improved role validation for invited users.
web/core/components/inbox/content/root.tsx	Introduced useUser hook for user data retrieval, updated editing permissions logic to account for guest roles, and refined conditions for issue editing capabilities.

Possibly related PRs

• [WEB-2391] fix: join project permission mutation #5580: Enhances user project role management, related to user permissions and visibility.
• [WEB-2443] fix: project favorite permission validation #5587: Involves user permission checks that align with enhancements to inbox issue access control.

Suggested labels

⚙️backend

Poem

🐰 In the land of code where bunnies play,
New rules for permissions brighten the day.
With roles defined and access tight,
Every inbox issue is now just right!
So hop along, let’s celebrate,
For better access, we can’t wait! 🎉

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (2)

apiserver/plane/app/views/project/invite.py (1)

59-73: Excellent work on improving the role validation logic!

The new role validation logic is more robust compared to the previous implementation. It ensures that invited users cannot have a different role than what is defined in the workspace. The logic correctly handles the case when the invited user's role is either 5 or 20 and returns an appropriate error response if there is a mismatch.

The code changes are well-structured and easy to understand. This modification enhances the integrity of the user invitation process by enforcing stricter role validation.

To further improve the code maintainability and reusability, consider extracting the role validation logic into a separate helper function. This will make the code more modular and easier to test.

apiserver/plane/app/views/inbox/base.py (1)

173-173: LGTM!

The retrieval of the Project object using the project_id from the URL parameters is a valid operation.

Please remove the trailing whitespace at the end of line 173 to maintain consistent formatting.

Tools

GitHub Check: Codacy Static Code Analysis

[notice] 173-173: apiserver/plane/app/views/inbox/base.py#L173
Trailing whitespace

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 87d6544 and 0ba67cf.

Files selected for processing (3)

• apiserver/plane/app/views/inbox/base.py (5 hunks)
• apiserver/plane/app/views/project/invite.py (3 hunks)
• web/core/components/inbox/content/root.tsx (4 hunks)

Additional context used

GitHub Check: Codacy Static Code Analysis

apiserver/plane/app/views/inbox/base.py

[notice] 173-173: apiserver/plane/app/views/inbox/base.py#L173
Trailing whitespace

Additional comments not posted (9)

web/core/components/inbox/content/root.tsx (5)

8-8: LGTM!

The import statement for the useUser hook is correct and consistent with the other imports.

---

37-37: LGTM!

The useUser hook is correctly used to retrieve the current user's data, and the retrieved data is destructured and assigned to the currentUser variable.

---

40-40: LGTM!

The import statement for the projectPermissionsByWorkspaceSlugAndProjectId function from the useUserPermissions hook is correct and consistent with the other imports.

---

65-68: LGTM!

The addition of the EUserPermissions.GUEST permission to the allowPermissions function is consistent with the PR objective of allowing guests to edit their own issues.

---

69-70: LGTM!

The introduction of the isGuest and readOnly variables enhances the component's logic regarding user permissions and editing capabilities. The readOnly variable ensures that editing is disabled when the user is a guest and the creator of the issue, and the update to the isEditable condition is consistent with this change.

Also applies to: 96-96

apiserver/plane/app/views/project/invite.py (1)

48-48: LGTM!

The @allow_permission([ROLE.ADMIN]) decorator is correctly implemented and aligns with the objective of enforcing stricter role validation for creating invitations. This change enhances security by ensuring that only authorized users with the admin role can create invitations.

apiserver/plane/app/views/inbox/base.py (3)

203-212: LGTM!

The additional permission checks based on the user's role and project settings are implemented correctly. They ensure that guests with role 5 can only view their own issues if the project restricts guest access to all features. This enhances the security and privacy of issue visibility within the project.

---

524-524: LGTM!

Adding the ROLE.GUEST role to the allowed roles for the retrieve method is a valid change. It allows guest users to retrieve inbox issues, subject to the additional permission checks implemented in the retrieve method.

---

Line range hint 533-574: LGTM!

The additional permission checks in the retrieve method are implemented correctly. They ensure that guests with role 5 cannot view issues that they did not create if the project restricts guest access to all features. This aligns with the permission checks introduced in the list method and enhances the security and privacy of issue visibility within the project.

[rahulramesha]

Approving frontend changes