fix(security): address CR review on project invite token validation

- Use request.user directly instead of re-querying User by exact
  project_invite.email — avoids case-variant miss after the case-insensitive
  email check already validated the authenticated user (CR comment 1)
- Validate `accepted` as a real boolean before saving — form-encoded
  strings like "false" are truthy and could accidentally create memberships
  (CR comment 2)

Co-authored-by: Plane AI <noreply@plane.so>
This commit is contained in:
Manish Gupta
2026-06-24 18:05:14 +05:30
parent 6de5e44dd3
commit c03149c275

View File

@@ -211,13 +211,20 @@ class ProjectJoinEndpoint(BaseAPIView):
)
if project_invite.responded_at is None:
project_invite.accepted = request.data.get("accepted", False)
accepted = request.data.get("accepted", False)
if not isinstance(accepted, bool):
return Response(
{"error": "`accepted` must be a boolean"},
status=status.HTTP_400_BAD_REQUEST,
)
project_invite.accepted = accepted
project_invite.responded_at = timezone.now()
project_invite.save()
if project_invite.accepted:
# Check if the user account exists
user = User.objects.filter(email=project_invite.email).first()
# Use the authenticated user directly — they've already been
# validated as the invite recipient above.
user = request.user
# Check if user is a part of workspace
workspace_member = WorkspaceMember.objects.filter(workspace__slug=slug, member=user).first()