[WEB-7847] fix: enforce workspace membership on entity-search endpoint (#9296)

* fix: enforce workspace membership on entity-search endpoint (GHSA-32q3-mqpc-3mhv)

SearchEndpoint required authentication but did not verify the requesting user
was a member of the queried workspace. Any authenticated Plane user could
enumerate members across workspaces they don't belong to by guessing slugs.

Add a WorkspaceMember guard at the top of get() — returns 403 if the user is
not an active member of the target workspace. Brings OSS to parity with EE,
which already had this protection via @can(WorkspacePermissions.VIEW).

Co-authored-by: Plane AI <noreply@plane.so>

* refactor(security): replace inline WS membership check with WorkspaceUserPermission

Use the existing WorkspaceUserPermission permission class on SearchEndpoint
instead of a manual WorkspaceMember.objects.filter() guard inside the
method body. Enforcement behaviour is unchanged (GHSA-32q3-mqpc-3mhv).

Co-authored-by: Plane AI <noreply@plane.so>

---------

Co-authored-by: Plane AI <noreply@plane.so>
This commit is contained in:
Manish Gupta
2026-06-30 18:35:10 +05:30
committed by GitHub
parent 4577dc3f7a
commit 28ae25b564

View File

@@ -28,6 +28,7 @@ from rest_framework.response import Response
# Module imports
from plane.app.views.base import BaseAPIView
from plane.app.permissions import WorkspaceUserPermission
from plane.db.models import (
Workspace,
Project,
@@ -302,6 +303,8 @@ class GlobalSearchEndpoint(BaseAPIView):
class SearchEndpoint(BaseAPIView):
permission_classes = (WorkspaceUserPermission,)
def get(self, request, slug):
query = request.query_params.get("query", False)
query_types = request.query_params.get("query_type", "user_mention").split(",")