Resolve Permission Conflict during Project Deletion.

----------------------------------- The current setup for deleting a project involves conflicting permission checks. In the resource class function, users with a Project Manager (PM) role are allowed to delete projects. However, in the service function responsible for project deletion, the check only permits organization managers or system administrators to perform this action. To address this inconsistency in permission checks, this commit streamlines the process. It eliminates the permission check within the service function, thereby enabling users with PM roles within a project to successfully initiate project deletions.
hotosm · Aug 28, 2023 · e8b18f1 · e8b18f1
1 parent 535a15a
commit e8b18f1
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 16 deletions.
diff --git a/backend/api/projects/resources.py b/backend/api/projects/resources.py
@@ -431,7 +431,6 @@ def delete(self, project_id):
                 description: Internal Server Error
         """
         authenticated_user_id = token_auth.current_user()
-        # FLAGGED: CONFLICTING PERMISSION CHECK WITH SERVICE FUNCTION
         if not ProjectAdminService.is_user_action_permitted_on_project(
             authenticated_user_id, project_id
         ):

diff --git a/backend/services/project_admin_service.py b/backend/services/project_admin_service.py
@@ -155,22 +155,11 @@ def delete_project(project_id: int, authenticated_user_id: int):
         """Deletes project if it has no completed tasks"""
 
         project = ProjectAdminService._get_project_by_id(project_id)
-        is_admin = UserService.is_user_an_admin(authenticated_user_id)
-        user_orgs = OrganisationService.get_organisations_managed_by_user_as_dto(
-            authenticated_user_id
-        )
-        is_org_manager = len(user_orgs.organisations) > 0
-
-        if is_admin or is_org_manager:
-            if project.can_be_deleted():
-                project.delete()
-            else:
-                raise ProjectAdminServiceError(
-                    "HasMappedTasks- Project has mapped tasks, cannot be deleted"
-                )
+        if project.can_be_deleted():
+            project.delete()
         else:
-            raise Forbidden(
-                sub_code="USER_NOT_ORG_MANAGER", user_id=authenticated_user_id
+            raise ProjectAdminServiceError(
+                "HasMappedTasks- Project has mapped tasks, cannot be deleted"
             )
 
     @staticmethod