[WEB-1985] chore: page access control (#5154)

* chore: page access control * chore: page access update endpoint updated --------- Co-authored-by: Anmol Singh Bhatia <anmolsinghbhatia@plane.so>
2025-08-07 19:59:33 +00:00 · 2024-07-19 15:43:01 +05:30
parent d3c3d3c5ab
commit 39a607ac0a
4 changed files with 42 additions and 2 deletions
--- a/apiserver/plane/app/urls/page.py
+++ b/apiserver/plane/app/urls/page.py
@@ -66,6 +66,16 @@ urlpatterns = [
        ),
        name="project-pages-lock-unlock",
    ),
+    # private and public page
+    path(
+        "workspaces/<str:slug>/projects/<uuid:project_id>/pages/<uuid:pk>/access/",
+        PageViewSet.as_view(
+            {
+                "post": "access",
+            }
+        ),
+        name="project-pages-access",
+    ),
    path(
        "workspaces/<str:slug>/projects/<uuid:project_id>/pages/<uuid:pk>/transactions/",
        PageLogEndpoint.as_view(),
--- a/apiserver/plane/app/views/page/base.py
+++ b/apiserver/plane/app/views/page/base.py
@@ -245,6 +245,28 @@ class PageViewSet(BaseViewSet):

        return Response(status=status.HTTP_204_NO_CONTENT)

+    def access(self, request, slug, project_id, pk):
+        access = request.data.get("access", 0)
+        page = Page.objects.filter(
+            pk=pk, workspace__slug=slug, projects__id=project_id
+        ).first()
+
+        # Only update access if the page owner is the requesting user
+        if (
+            page.access != request.data.get("access", page.access)
+            and page.owned_by_id != request.user.id
+        ):
+            return Response(
+                {
+                    "error": "Access cannot be updated since this page is owned by someone else"
+                },
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+
+        page.access = access
+        page.save()
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
    def list(self, request, slug, project_id):
        queryset = self.get_queryset()
        pages = PageSerializer(queryset, many=True).data
--- a/web/core/services/page/project-page.service.ts
+++ b/web/core/services/page/project-page.service.ts
@@ -42,6 +42,14 @@ export class ProjectPageService extends APIService {
      });
  }

+  async updateAccess(workspaceSlug: string, projectId: string, pageId: string, data: Partial<TPage>): Promise<void> {
+    return this.post(`/api/workspaces/${workspaceSlug}/projects/${projectId}/pages/${pageId}/access/`, data)
+      .then((response) => response?.data)
+      .catch((error) => {
+        throw error?.response?.data;
+      });
+  }
+
  async remove(workspaceSlug: string, projectId: string, pageId: string): Promise<void> {
    return this.delete(`/api/workspaces/${workspaceSlug}/projects/${projectId}/pages/${pageId}/`)
      .then((response) => response?.data)
--- a/web/core/store/pages/page.ts
+++ b/web/core/store/pages/page.ts
@@ -363,7 +363,7 @@ export class Page implements IPage {
    runInAction(() => (this.access = EPageAccess.PUBLIC));

    try {
-      await this.pageService.update(workspaceSlug, projectId, this.id, {
+      await this.pageService.updateAccess(workspaceSlug, projectId, this.id, {
        access: EPageAccess.PUBLIC,
      });
    } catch (error) {
@@ -385,7 +385,7 @@ export class Page implements IPage {
    runInAction(() => (this.access = EPageAccess.PRIVATE));

    try {
-      await this.pageService.update(workspaceSlug, projectId, this.id, {
+      await this.pageService.updateAccess (workspaceSlug, projectId, this.id, {
        access: EPageAccess.PRIVATE,
      });
    } catch (error) {