fix: delete project by viewer

Signed-off-by: thxCode <thxcode0824@gmail.com>

Author: thxCode

pkg/apis/project/basic.go

@@ -1,12 +1,15 @@
 package project
 
 import (
+	"net/http"
+
 	"github.com/seal-io/walrus/pkg/auths/session"
 	"github.com/seal-io/walrus/pkg/dao"
 	"github.com/seal-io/walrus/pkg/dao/model"
 	"github.com/seal-io/walrus/pkg/dao/model/project"
 	"github.com/seal-io/walrus/pkg/dao/types"
 	"github.com/seal-io/walrus/pkg/dao/types/object"
+	"github.com/seal-io/walrus/utils/errorx"
 )
 
 func (h Handler) Create(req CreateRequest) (CreateResponse, error) {
@@ -119,6 +122,16 @@ func (h Handler) CollectionGet(req CollectionGetRequest) (CollectionGetResponse,
 func (h Handler) CollectionDelete(req CollectionDeleteRequest) error {
 	ids := req.IDs()
 
+	// Validate whether the subject has permission to delete the projects.
+	sj := session.MustGetSubject(req.Context)
+	if !sj.IsAdmin() {
+		for i := range ids {
+			if !sj.Enforce(string(ids[i]), http.MethodDelete, "projects", string(ids[i]), req.Context.FullPath()) {
+				return errorx.NewHttpError(http.StatusForbidden, "")
+			}
+		}
+	}
+
 	return h.modelClient.WithTx(req.Context, func(tx *model.Tx) error {
 		_, err := tx.Projects().Delete().
 			Where(project.IDIn(ids...)).