fix: IDOR Vulnerabilities in Asset & Attachment Endpoints (#8644)

* fix: idor issues in project assets and issue attachements * fix: comments
2026-02-24 04:00:14 +01:00 · 2026-02-20 18:02:12 +05:30
parent b5fe8a2825
commit 9070acbbe8
2 changed files with 6 additions and 2 deletions
--- a/apps/api/plane/app/views/asset/v2.py
+++ b/apps/api/plane/app/views/asset/v2.py
@@ -579,7 +579,7 @@ class ProjectAssetEndpoint(BaseAPIView):
    @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST])
    def patch(self, request, slug, project_id, pk):
        # get the asset id
-        asset = FileAsset.objects.get(id=pk)
+        asset = FileAsset.objects.get(id=pk, workspace__slug=slug, project_id=project_id)
        # get the storage metadata
        asset.is_uploaded = True
        # get the storage metadata
--- a/apps/api/plane/app/views/issue/attachment.py
+++ b/apps/api/plane/app/views/issue/attachment.py
@@ -60,7 +60,11 @@ class IssueAttachmentEndpoint(BaseAPIView):

    @allow_permission([ROLE.ADMIN], creator=True, model=FileAsset)
    def delete(self, request, slug, project_id, issue_id, pk):
-        issue_attachment = FileAsset.objects.get(pk=pk)
+        issue_attachment = FileAsset.objects.filter(
+            pk=pk, workspace__slug=slug, project_id=project_id, issue_id=issue_id
+        ).first()
+        if not issue_attachment:
+            return Response(status=status.HTTP_404_NOT_FOUND)
        issue_attachment.asset.delete(save=False)
        issue_attachment.delete()
        issue_activity.delay(