BITMAKER-2716 Fix control flow when adding, removing, or updating project members (#166)

* Fix control flow when adding, removing, or updating project members.

---------

Co-authored-by: Raymond Negron <raymond1242@Raymonds-MacBook-Air.local>
Co-authored-by: emegona <mateo@emegona.com>

Author: 3 people

estela-api/api/serializers/project.py

@@ -101,10 +101,7 @@ class ProjectUpdateSerializer(serializers.ModelSerializer):
     pid = serializers.UUIDField(
         read_only=True, help_text="A UUID identifying this project."
     )
-    users = UserDetailSerializer(many=True, required=False, help_text="Afected users.")
-    user = serializers.EmailField(
-        write_only=True, required=False, help_text="User email address."
-    )
+    users = UserDetailSerializer(many=True, required=False, help_text="Affected users.")
     email = serializers.EmailField(
         write_only=True, required=False, help_text="Email address."
     )
@@ -123,4 +120,4 @@ class ProjectUpdateSerializer(serializers.ModelSerializer):
 
     class Meta:
         model = Project
-        fields = ("pid", "name", "users", "user", "email", "action", "permission")
+        fields = ("pid", "name", "users", "email", "action", "permission")

estela-api/api/views/project.py

@@ -1,9 +1,17 @@
 from datetime import datetime, timedelta
 
+from django.core.paginator import Paginator
+from drf_yasg import openapi
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework import status, viewsets
+from rest_framework.decorators import action
+from rest_framework.exceptions import NotFound, ParseError, PermissionDenied
+from rest_framework.response import Response
+
 from api import errors
 from api.mixins import BaseViewSet
-from api.serializers.job import ProjectJobSerializer, SpiderJobSerializer
 from api.serializers.cronjob import ProjectCronJobSerializer, SpiderCronJobSerializer
+from api.serializers.job import ProjectJobSerializer, SpiderJobSerializer
 from api.serializers.project import (
     ProjectSerializer,
     ProjectUpdateSerializer,
@@ -14,18 +22,11 @@
     Permission,
     Project,
     Spider,
-    SpiderJob,
     SpiderCronJob,
+    SpiderJob,
     UsageRecord,
     User,
 )
-from django.core.paginator import Paginator
-from drf_yasg import openapi
-from drf_yasg.utils import swagger_auto_schema
-from rest_framework import status, viewsets
-from rest_framework.decorators import action
-from rest_framework.response import Response
-from rest_framework.exceptions import NotFound, ParseError
 
 
 class ProjectViewSet(BaseViewSet, viewsets.ModelViewSet):
@@ -83,42 +84,42 @@ def update(self, request, *args, **kwargs):
 
         name = serializer.validated_data.get("name", "")
         user_email = serializer.validated_data.pop("email", "")
-        user_permision = serializer.validated_data.pop("user", "")
         action = serializer.validated_data.pop("action", "")
         permission = serializer.validated_data.pop("permission", "")
-
         if name:
             instance.name = name
-        if user_email and user_email != user_permision:
+        if user_email and user_email != request.user.email:
+            if not (
+                request.user.permission_set.get(project=instance).permission
+                in [Permission.ADMIN_PERMISSION, Permission.OWNER_PERMISSION]
+            ):
+                raise PermissionDenied(
+                    {"permission": "You do not have permission to do this."}
+                )
+
             user = User.objects.filter(email=user_email)
-            user_instance = User.objects.filter(email=user_permision)
-            if user:
-                user = user.get()
-                user_instance = user_instance.get()
-                if (
-                    user_instance.permission_set.get(project=instance).permission
-                    in [Permission.ADMIN_PERMISSION, Permission.OWNER_PERMISSION]
-                ) and permission != Permission.OWNER_PERMISSION:
-                    if action == "add":
-                        instance.users.add(
-                            user, through_defaults={"permission": permission}
-                        )
-                    elif action == "remove" and (
-                        user.permission_set.get(project=instance).permission
-                        != Permission.OWNER_PERMISSION
-                    ):
-                        instance.users.remove(user)
-                    elif action == "update":
-                        instance.users.remove(user)
-                        instance.users.add(
-                            user, through_defaults={"permission": permission}
-                        )
-                    else:
-                        raise ParseError({"error": "Action not supported."})
-                else:
-                    raise ParseError({"error": "Action not supported."})
-            else:
+            if not user:
                 raise NotFound({"email": "User does not exist."})
+
+            user = user.get()
+            existing_permission = user.permission_set.filter(project=instance).first()
+            if (
+                existing_permission
+                and existing_permission.permission == Permission.OWNER_PERMISSION
+            ):
+                raise ParseError(
+                    {"error": "You cannot modify the permissions of an owner user."}
+                )
+
+            if action == "add":
+                instance.users.add(user, through_defaults={"permission": permission})
+            elif action == "remove":
+                instance.users.remove(user)
+            elif action == "update":
+                instance.users.remove(user)
+                instance.users.add(user, through_defaults={"permission": permission})
+            else:
+                raise ParseError({"error": "Action not supported."})
         serializer.save()
 
         headers = self.get_success_headers(serializer.data)
@@ -219,7 +220,6 @@ def cronjobs(self, request, *args, **kwargs):
     )
     @action(methods=["GET"], detail=True)
     def current_usage(self, request, *args, **kwargs):
-        instance = self.get_object()
         project = Project.objects.get(pid=kwargs["pid"])
         serializer = ProjectUsageSerializer(
             UsageRecord.objects.filter(project=project).first()
@@ -251,7 +251,6 @@ def current_usage(self, request, *args, **kwargs):
     )
     @action(methods=["GET"], detail=True)
     def usage(self, request, *args, **kwargs):
-        instance = self.get_object()
         project = Project.objects.get(pid=kwargs["pid"])
         start_date = request.query_params.get(
             "start_date", datetime.today().replace(day=1)

estela-api/docs/api.yaml

@@ -1287,16 +1287,10 @@ definitions:
         maxLength: 1000
         minLength: 1
       users:
-        description: Afected users.
+        description: Affected users.
         type: array
         items:
           $ref: '#/definitions/UserDetail'
-      user:
-        title: User
-        description: User email address.
-        type: string
-        format: email
-        minLength: 1
       email:
         title: Email
         description: Email address.

estela-web/src/components/ProjectMemberPage/index.tsx

@@ -127,10 +127,7 @@ export class ProjectMemberPage extends Component<RouteComponentProps<RouteParams
                 : option == 1
                 ? ProjectUpdateActionEnum.Add
                 : ProjectUpdateActionEnum.Update;
-        const user_email = this.state.users.find((item) => item.user?.username === AuthService.getUserUsername())?.user
-            ?.email;
         const requestData: ProjectUpdate = {
-            user: user_email,
             email: email,
             action: action,
             permission: this.state.permission,

estela-web/src/services/api/generated-api/models/ProjectUpdate.ts

@@ -39,17 +39,11 @@ export interface ProjectUpdate {
      */
     name: string;
     /**
-     * Afected users.
+     * Affected users.
      * @type {Array<UserDetail>}
      * @memberof ProjectUpdate
      */
     users?: Array<UserDetail>;
-    /**
-     * User email address.
-     * @type {string}
-     * @memberof ProjectUpdate
-     */
-    user?: string;
     /**
      * Email address.
      * @type {string}
@@ -101,7 +95,6 @@ export function ProjectUpdateFromJSONTyped(json: any, ignoreDiscriminator: boole
         'pid': !exists(json, 'pid') ? undefined : json['pid'],
         'name': json['name'],
         'users': !exists(json, 'users') ? undefined : ((json['users'] as Array<any>).map(UserDetailFromJSON)),
-        'user': !exists(json, 'user') ? undefined : json['user'],
         'email': !exists(json, 'email') ? undefined : json['email'],
         'action': !exists(json, 'action') ? undefined : json['action'],
         'permission': !exists(json, 'permission') ? undefined : json['permission'],
@@ -119,7 +112,6 @@ export function ProjectUpdateToJSON(value?: ProjectUpdate | null): any {
 
         'name': value.name,
         'users': value.users === undefined ? undefined : ((value.users as Array<any>).map(UserDetailToJSON)),
-        'user': value.user,
         'email': value.email,
         'action': value.action,
         'permission': value.permission,