[WEB-3488] improvement: assignee validation for work item creation (#6701)

prateekshourya29 · sriramveeraghanta · commit ac6fef3073b1 · 2025-03-05T16:21:09.000+05:30
diff --git a/apiserver/plane/api/serializers/issue.py b/apiserver/plane/api/serializers/issue.py
@@ -80,6 +80,7 @@ def validate(self, data):
             data["assignees"] = ProjectMember.objects.filter(
                 project_id=self.context.get("project_id"),
                 is_active=True,
+                role__gte=15,
                 member_id__in=data["assignees"],
             ).values_list("member_id", flat=True)
 
@@ -158,8 +159,13 @@ def create(self, validated_data):
                 pass
         else:
             try:
-                # Then assign it to default assignee
-                if default_assignee_id is not None:
+                # Then assign it to default assignee, if it is a valid assignee
+                if default_assignee_id is not None and ProjectMember.objects.filter(
+                    member_id=default_assignee_id,
+                    project_id=project_id,
+                    role__gte=15,
+                    is_active=True
+                ).exists():
                     IssueAssignee.objects.create(
                         assignee_id=default_assignee_id,
                         issue=issue,
diff --git a/apiserver/plane/app/serializers/issue.py b/apiserver/plane/app/serializers/issue.py
@@ -36,6 +36,7 @@
     State,
     IssueVersion,
     IssueDescriptionVersion,
+    ProjectMember,
 )
 
 
@@ -119,6 +120,17 @@ def validate(self, data):
             raise serializers.ValidationError("Start date cannot exceed target date")
         return data
 
+    def get_valid_assignees(self, assignees, project_id):
+        if not assignees:
+            return []
+
+        return ProjectMember.objects.filter(
+            project_id=project_id,
+            role__gte=15,
+            is_active=True,
+            member_id__in=assignees
+        ).values_list('member_id', flat=True)
+
     def create(self, validated_data):
         assignees = validated_data.pop("assignee_ids", None)
         labels = validated_data.pop("label_ids", None)
@@ -134,27 +146,33 @@ def create(self, validated_data):
         created_by_id = issue.created_by_id
         updated_by_id = issue.updated_by_id
 
-        if assignees is not None and len(assignees):
+        valid_assignee_ids = self.get_valid_assignees(assignees, project_id)
+        if valid_assignee_ids is not None and len(valid_assignee_ids):
             try:
                 IssueAssignee.objects.bulk_create(
                     [
                         IssueAssignee(
-                            assignee=user,
+                            assignee_id=user_id,
                             issue=issue,
                             project_id=project_id,
                             workspace_id=workspace_id,
                             created_by_id=created_by_id,
                             updated_by_id=updated_by_id,
                         )
-                        for user in assignees
+                        for user_id in valid_assignee_ids
                     ],
                     batch_size=10,
                 )
             except IntegrityError:
                 pass
         else:
-            # Then assign it to default assignee
-            if default_assignee_id is not None:
+            # Then assign it to default assignee, if it is a valid assignee
+            if default_assignee_id is not None and ProjectMember.objects.filter(
+                member_id=default_assignee_id,
+                project_id=project_id,
+                role__gte=15,
+                is_active=True
+            ).exists():
                 try:
                     IssueAssignee.objects.create(
                         assignee_id=default_assignee_id,
@@ -198,20 +216,21 @@ def update(self, instance, validated_data):
         created_by_id = instance.created_by_id
         updated_by_id = instance.updated_by_id
 
-        if assignees is not None:
+        valid_assignee_ids = self.get_valid_assignees(assignees, project_id)
+        if valid_assignee_ids is not None and len(valid_assignee_ids):
             IssueAssignee.objects.filter(issue=instance).delete()
             try:
                 IssueAssignee.objects.bulk_create(
                     [
                         IssueAssignee(
-                            assignee=user,
+                            assignee_id=user_id,
                             issue=instance,
                             project_id=project_id,
                             workspace_id=workspace_id,
                             created_by_id=created_by_id,
                             updated_by_id=updated_by_id,
                         )
-                        for user in assignees
+                        for user_id in valid_assignee_ids
                     ],
                     batch_size=10,
                     ignore_conflicts=True,
