fix: ensure MANAGE_TAGS permission allows create tag (#4678)

Flagsmith · Oct 2, 2024 · 58eb9ed · 58eb9ed
1 parent a867ed1
commit 58eb9ed
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 8 deletions.
diff --git a/api/projects/tags/permissions.py b/api/projects/tags/permissions.py
@@ -11,14 +11,10 @@ def has_permission(self, request, view):
             return False
         project = Project.objects.get(pk=project_pk)
 
-        if request.user.is_project_admin(project):
-            return True
-
-        if view.action in ["list", "get_by_uuid"]:
-            return request.user.has_project_permission(VIEW_PROJECT, project)
-
-        # move on to object specific permissions
-        return view.detail
+        permission = (
+            VIEW_PROJECT if view.action in ("list", "get_by_uuid") else MANAGE_TAGS
+        )
+        return request.user.has_project_permission(permission, project) or view.detail
 
     def has_object_permission(self, request, view, obj):
         project = obj.project

diff --git a/api/tests/unit/projects/tags/test_unit_projects_tags_permissions.py b/api/tests/unit/projects/tags/test_unit_projects_tags_permissions.py
@@ -144,6 +144,50 @@ def test_project_user_has_detail_permission(
     assert result is True
 
 
+def test_project_user_with_manage_tags_has_permission_to_create(
+    staff_user: FFAdminUser,
+    project: Project,
+    with_project_permissions: WithProjectPermissionsCallable,
+) -> None:
+    # Given
+    with_project_permissions([VIEW_PROJECT, MANAGE_TAGS])
+    mock_request = mock.MagicMock(user=staff_user)
+    mock_view = mock.MagicMock(
+        action="create",
+        kwargs={"project_pk": project.id},
+        detail=False,
+    )
+    permissions = TagPermissions()
+
+    # When
+    result = permissions.has_permission(mock_request, mock_view)
+
+    # Then
+    assert result is True
+
+
+def test_project_user_with_view_project_does_not_have_permission_to_create(
+    staff_user: FFAdminUser,
+    project: Project,
+    with_project_permissions: WithProjectPermissionsCallable,
+) -> None:
+    # Given
+    with_project_permissions([VIEW_PROJECT])
+    mock_request = mock.MagicMock(user=staff_user)
+    mock_view = mock.MagicMock(
+        action="create",
+        kwargs={"project_pk": project.id},
+        detail=False,
+    )
+    permissions = TagPermissions()
+
+    # When
+    result = permissions.has_permission(mock_request, mock_view)
+
+    # Then
+    assert result is False
+
+
 def test_project_user_with_manage_tags_has_detail_permission(
     staff_user: FFAdminUser,
     project: Project,