From 9070acbbe81bc02db5c169789da6862d5fc35d96 Mon Sep 17 00:00:00 2001
From: sriram veeraghanta <veeraghanta.sriram@gmail.com>
Date: Fri, 20 Feb 2026 18:02:12 +0530
Subject: [PATCH] fix: IDOR Vulnerabilities in Asset & Attachment Endpoints
 (#8644)

* fix: idor issues in project assets and issue attachements

* fix: comments
---
 apps/api/plane/app/views/asset/v2.py         | 2 +-
 apps/api/plane/app/views/issue/attachment.py | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/apps/api/plane/app/views/asset/v2.py b/apps/api/plane/app/views/asset/v2.py
index 2961ec4bac..62c5f84a20 100644
--- a/apps/api/plane/app/views/asset/v2.py
+++ b/apps/api/plane/app/views/asset/v2.py
@@ -579,7 +579,7 @@ class ProjectAssetEndpoint(BaseAPIView):
     @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST])
     def patch(self, request, slug, project_id, pk):
         # get the asset id
-        asset = FileAsset.objects.get(id=pk)
+        asset = FileAsset.objects.get(id=pk, workspace__slug=slug, project_id=project_id)
         # get the storage metadata
         asset.is_uploaded = True
         # get the storage metadata
diff --git a/apps/api/plane/app/views/issue/attachment.py b/apps/api/plane/app/views/issue/attachment.py
index f0c55763ed..fa03ae5f1c 100644
--- a/apps/api/plane/app/views/issue/attachment.py
+++ b/apps/api/plane/app/views/issue/attachment.py
@@ -60,7 +60,11 @@ class IssueAttachmentEndpoint(BaseAPIView):
 
     @allow_permission([ROLE.ADMIN], creator=True, model=FileAsset)
     def delete(self, request, slug, project_id, issue_id, pk):
-        issue_attachment = FileAsset.objects.get(pk=pk)
+        issue_attachment = FileAsset.objects.filter(
+            pk=pk, workspace__slug=slug, project_id=project_id, issue_id=issue_id
+        ).first()
+        if not issue_attachment:
+            return Response(status=status.HTTP_404_NOT_FOUND)
         issue_attachment.asset.delete(save=False)
         issue_attachment.delete()
         issue_activity.delay(