diff --git a/nocodetools/permissions.py b/nocodetools/permissions.py
new file mode 100644
index 0000000..30b032f
--- /dev/null
+++ b/nocodetools/permissions.py
@@ -0,0 +1,26 @@
+# permissions.py
+from rest_framework.permissions import BasePermission
+from projects.models import Project, ProjectTeamList
+from portfolios.models import Portfolio
+
+UNSAFE_REQUEST = ["POST", "PUT", "PATCH", "DELETE"]
+
+class IsOwnerOrMemberInCreateAndUpdateAndDelete(BasePermission):
+    def has_permission(self, request, view):
+        if request.method not in UNSAFE_REQUEST:
+            return True
+
+        related_type = request.query_params.get("type")
+        related_id = request.query_params.get("id")
+
+        if not related_type or not related_id:
+            return False
+
+        user = request.user
+
+        if related_type == "project":
+            return ProjectTeamList.objects.filter(project=related_id, user=user).exists()
+        elif related_type == "portfolio":
+            return Portfolio.objects.filter(id=related_id, owner=user).exists()
+        else:
+            return False
\ No newline at end of file