From e8b18f1df9f6d6e8fd9bcd6b9f603519f9fbbd42 Mon Sep 17 00:00:00 2001
From: Aadesh-Baral <elkloppiko@gmail.com>
Date: Mon, 28 Aug 2023 13:27:22 +0545
Subject: [PATCH] Resolve Permission Conflict during Project Deletion.
 ----------------------------------- The current setup for deleting a project
 involves conflicting permission checks. In the resource class function, users
 with a Project Manager (PM) role are allowed to delete projects. However, in
 the service function responsible for project deletion, the check only permits
 organization managers or system administrators to perform this action.

To address this inconsistency in permission checks, this commit streamlines the process. It eliminates the permission check within the service function, thereby enabling users with PM roles within a project to successfully initiate project deletions.
---
 backend/api/projects/resources.py         |  1 -
 backend/services/project_admin_service.py | 19 ++++---------------
 2 files changed, 4 insertions(+), 16 deletions(-)

diff --git a/backend/api/projects/resources.py b/backend/api/projects/resources.py
index 0ded32b7b3..7169fb4b3b 100644
--- a/backend/api/projects/resources.py
+++ b/backend/api/projects/resources.py
@@ -431,7 +431,6 @@ def delete(self, project_id):
                 description: Internal Server Error
         """
         authenticated_user_id = token_auth.current_user()
-        # FLAGGED: CONFLICTING PERMISSION CHECK WITH SERVICE FUNCTION
         if not ProjectAdminService.is_user_action_permitted_on_project(
             authenticated_user_id, project_id
         ):
diff --git a/backend/services/project_admin_service.py b/backend/services/project_admin_service.py
index 32d880e55b..9f4f162206 100644
--- a/backend/services/project_admin_service.py
+++ b/backend/services/project_admin_service.py
@@ -155,22 +155,11 @@ def delete_project(project_id: int, authenticated_user_id: int):
         """Deletes project if it has no completed tasks"""
 
         project = ProjectAdminService._get_project_by_id(project_id)
-        is_admin = UserService.is_user_an_admin(authenticated_user_id)
-        user_orgs = OrganisationService.get_organisations_managed_by_user_as_dto(
-            authenticated_user_id
-        )
-        is_org_manager = len(user_orgs.organisations) > 0
-
-        if is_admin or is_org_manager:
-            if project.can_be_deleted():
-                project.delete()
-            else:
-                raise ProjectAdminServiceError(
-                    "HasMappedTasks- Project has mapped tasks, cannot be deleted"
-                )
+        if project.can_be_deleted():
+            project.delete()
         else:
-            raise Forbidden(
-                sub_code="USER_NOT_ORG_MANAGER", user_id=authenticated_user_id
+            raise ProjectAdminServiceError(
+                "HasMappedTasks- Project has mapped tasks, cannot be deleted"
             )
 
     @staticmethod