From d1911eb1b82b754dc6769113a037974445d14a82 Mon Sep 17 00:00:00 2001
From: sm4640 <s1m0611@naver.com>
Date: Thu, 5 Jun 2025 18:31:06 +0900
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Feat:=20[#64]=20=EC=BD=94=EB=93=9C?=
 =?UTF-8?q?=20owner=20=ED=98=B9=EC=9D=80=20=ED=8C=80=EC=9B=90=EC=9D=B8?=
 =?UTF-8?q?=EC=A7=80=20=ED=99=95=EC=9D=B8=20=EC=97=AC=EB=B6=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 nocodetools/permissions.py | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 nocodetools/permissions.py

diff --git a/nocodetools/permissions.py b/nocodetools/permissions.py
new file mode 100644
index 0000000..30b032f
--- /dev/null
+++ b/nocodetools/permissions.py
@@ -0,0 +1,26 @@
+# permissions.py
+from rest_framework.permissions import BasePermission
+from projects.models import Project, ProjectTeamList
+from portfolios.models import Portfolio
+
+UNSAFE_REQUEST = ["POST", "PUT", "PATCH", "DELETE"]
+
+class IsOwnerOrMemberInCreateAndUpdateAndDelete(BasePermission):
+    def has_permission(self, request, view):
+        if request.method not in UNSAFE_REQUEST:
+            return True
+
+        related_type = request.query_params.get("type")
+        related_id = request.query_params.get("id")
+
+        if not related_type or not related_id:
+            return False
+
+        user = request.user
+
+        if related_type == "project":
+            return ProjectTeamList.objects.filter(project=related_id, user=user).exists()
+        elif related_type == "portfolio":
+            return Portfolio.objects.filter(id=related_id, owner=user).exists()
+        else:
+            return False
\ No newline at end of file