From bc52fa1cc427ca0868076a6c342bb8fb3ee47d99 Mon Sep 17 00:00:00 2001
From: sangeethailango <sangeethailango21@gmail.com>
Date: Tue, 23 Dec 2025 15:57:31 +0530
Subject: [PATCH] chore: workspace api token permission check

---
 .../plane/api/middleware/api_authentication.py   | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/apps/api/plane/api/middleware/api_authentication.py b/apps/api/plane/api/middleware/api_authentication.py
index ddabb4132d..2792c8d55b 100644
--- a/apps/api/plane/api/middleware/api_authentication.py
+++ b/apps/api/plane/api/middleware/api_authentication.py
@@ -1,13 +1,14 @@
 # Django imports
 from django.utils import timezone
 from django.db.models import Q
+from django.urls import resolve
 
 # Third party imports
 from rest_framework import authentication
 from rest_framework.exceptions import AuthenticationFailed
 
 # Module imports
-from plane.db.models import APIToken
+from plane.db.models import APIToken, Workspace
 
 
 class APIKeyAuthentication(authentication.BaseAuthentication):
@@ -22,13 +23,20 @@ class APIKeyAuthentication(authentication.BaseAuthentication):
     def get_api_token(self, request):
         return request.headers.get(self.auth_header_name)
 
-    def validate_api_token(self, token):
+    def validate_api_token(self, token, workspace_slug):
         try:
             api_token = APIToken.objects.get(
                 Q(Q(expired_at__gt=timezone.now()) | Q(expired_at__isnull=True)),
                 token=token,
                 is_active=True,
             )
+
+            if workspace_slug:
+                workspace = Workspace.objects.get(slug=workspace_slug)
+
+                if api_token.workspace_id != workspace.id:
+                    raise AuthenticationFailed("Given API token is not valid")
+
         except APIToken.DoesNotExist:
             raise AuthenticationFailed("Given API token is not valid")
 
@@ -38,10 +46,12 @@ class APIKeyAuthentication(authentication.BaseAuthentication):
         return (api_token.user, api_token.token)
 
     def authenticate(self, request):
+        workspace_slug = resolve(request.path_info).kwargs.get("slug")
+
         token = self.get_api_token(request=request)
         if not token:
             return None
 
         # Validate the API token
-        user, token = self.validate_api_token(token)
+        user, token = self.validate_api_token(token, workspace_slug)
         return user, token