Commit Graph

7083 Commits

Author SHA1 Message Date
Atul Tameshwari
58c71854fa refac: moved de-dupe directory to core 2026-06-16 17:24:42 +05:30
Atul Tameshwari
1fce8add7b refactor: remove obsolete cycle components and introduce new cycle-related components in core 2026-06-16 16:42:03 +05:30
Atul Tameshwari
613717a773 refactor: remove obsolete index file and add MaintenanceMessage and InboxSourcePill components 2026-06-16 15:22:29 +05:30
Atul Tameshwari
5a91581f31 refactor: update import paths for common components and introduce new ExtendedAppHeader, GlobalModals, and SubscriptionPill components 2026-06-16 15:12:15 +05:30
Atul Tameshwari
38c1a977af refactor: remove obsolete comments index file and introduce CommentBlock component in core 2026-06-16 14:51:30 +05:30
Atul Tameshwari
d86a2abae5 refactor: update import path for WorkItemDetailRoot and add new work item detail component 2026-06-16 14:43:16 +05:30
Atul Tameshwari
b18639e2cb refactor: update import paths for CommonProjectBreadcrumbs and add new breadcrumb components 2026-06-16 13:33:46 +05:30
Atul Tameshwari
625c26c10c refactor: remove unused automation components and simplify layout structure 2026-06-16 13:01:11 +05:30
Atul Tameshwari
2e282f4f2b refactor: migrate app-rail HOC to core components and remove obsolete index file 2026-06-16 12:45:10 +05:30
Atul Tameshwari
fa572acd35 refactor: replace WorkspaceActiveCyclesRoot with WorkspaceActiveCyclesUpgrade and remove obsolete components 2026-06-16 12:29:39 +05:30
Atul Tameshwari
9804225e69 feat: add project, work item, and workspace level modals for enhanced user interaction 2026-06-16 12:22:55 +05:30
Atul Tameshwari
c9561a72f9 refactor: update analytics tab imports and add new analytics tab components 2026-06-16 11:49:12 +05:30
Atul Tameshwari
b1def9316e refactor: remove command palette & sidebar components and related files from web/app/ce 2026-06-16 10:26:30 +05:30
Rahulcheryala
3e6f7ab9d0 fix: import structure for hooks 2026-06-15 18:14:40 +05:30
Rahulcheryala
2c98862acf fix: React doctor comments 2026-06-15 18:06:56 +05:30
Rahulcheryala
717eae9a0f fix: coderabbit comments 2026-06-15 18:05:38 +05:30
Rahulcheryala
1ca66f7f1d refactor: delete hook (use-issue-embed) from web/app/ce 2026-06-15 17:38:58 +05:30
Rahulcheryala
d920416e8f refactor: migrate hooks (use-workspace-issue-properties) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
e3aa81f7cd refactor: migrate hooks (use-issue-properties) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
34ddd1674a refactor: migrate hooks (use-debounced-duplicate-issues) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
bf55317d0f refactor: migrate hooks (use-bulk-operations) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
6c571d0841 refactor: migrate hooks (use-extended-editor-config) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
f74ee5aa63 refactor: migrate hooks (use-work-items-filters-config) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
d977d6d0d4 refactor: migrate hooks (use-extended-editor-extensions, use-pages-pane-extensions) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
a189d7be8d refactor: migrate hooks (use-additional-favorite-item-details) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
ec34e95e7b refactor: migrate hooks (use-additional-editor-mention) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
b2795efa77 refactor: migrate hooks (use-filters-operator-configs) from web/app/ce to web/app/core 2026-06-15 17:38:58 +05:30
Rahulcheryala
57972d4519 refactor: migrate hooks (use-editor-flagging) from web/app/ce to web/app/core 2026-06-15 17:38:57 +05:30
Rahulcheryala
f7056d1ef4 refactor: migrate hooks (use-page-flag) from web/app/ce to web/app/core 2026-06-15 17:38:57 +05:30
Rahulcheryala
db2c39eff6 refactor: migrate hooks (app-rail, indexes) from web/app/ce to web/app/core 2026-06-15 17:38:57 +05:30
Rahulcheryala
41a0d0ece6 refactor: migrate hooks (use-page, use-page-store) from web/app/ce to web/app/core 2026-06-15 17:38:57 +05:30
Rahulcheryala
3b809cd306 refactor: migrate hooks (use-timeline-chart) from web/app/ce to web/app/core 2026-06-15 17:38:57 +05:30
Rahulcheryala
40c94e726b refactor: migrate hooks (use-notification-preview) from web/app/ce to web/app/core 2026-06-15 17:38:57 +05:30
Rahulcheryala
5e09a7abc6 refactor: migrate hooks (use-file-size) from web/app/ce to web/app/core 2026-06-15 17:38:57 +05:30
Rahulcheryala
efecb7b75d refactor: resolve coderabbit comments 2026-06-15 17:30:58 +05:30
Rahulcheryala
b82f376a49 fix: resolve coderabbit comments 2026-06-15 17:12:44 +05:30
Rahulcheryala
315ccee369 resolved lint errors 2026-06-15 17:12:44 +05:30
Rahulcheryala
76bdd9515f refactor: migrate constants (plans) from apps/web to @core/components 2026-06-15 17:12:44 +05:30
Rahulcheryala
9503c7211a refactor: migrate constants (editor) from apps/web to @plane/constants 2026-06-15 17:12:44 +05:30
Rahulcheryala
bba0ca9613 refactor: migrate constants (sidebar, favorites) from apps/web to @plane/constants 2026-06-15 17:12:44 +05:30
Rahulcheryala
dbca2b2b62 refactor: migrate constants (ai, calenda, gaant) from apps/web to @plane/constants 2026-06-15 17:12:44 +05:30
Rahulcheryala
1221954ed5 refactor: migrate constants (fetch-keys) from apps/web to @plane/constants 2026-06-15 17:12:44 +05:30
Nikita Mitasov
f2feca61e8 feat(api): add workspace_slug to webhook delivery payload (#9232) 2026-06-15 13:16:41 +05:30
sriram veeraghanta
498f857be4 fix: resolve esbuild advisory and bump turbo to 2.9.18 (#9236)
Resolves the sole open Dependabot alert (GHSA-gv7w-rqvm-qjhr, high):
esbuild <0.28.1 lacks binary-integrity verification in its Deno install
path, enabling RCE via NPM_CONFIG_REGISTRY. The pnpm `overrides` entry
pinned the entire tree to esbuild 0.25.0; bump it to 0.28.1, which fixes
all transitive paths (vite, vitest, tsx, vite-node, esbuild-register).

Also bump turbo 2.9.14 -> 2.9.18 in the workspace catalog and the four
pinned production Dockerfiles (web, live, admin, space).

Verified: `pnpm audit` clean, admin react-router/vite build succeeds,
@plane/codemods vitest suite 33/33 passing.
2026-06-15 13:15:40 +05:30
sriram veeraghanta
fd16d033fc fix(api): reject API key auth for deactivated user accounts (#9225)
The custom API key authentication only verified that the APIToken row was
active and unexpired; it never checked the owning user's is_active flag.
DRF's IsAuthenticated only checks user.is_authenticated (always True for a
real User), so a user whose account was deactivated could keep using a
previously issued API key indefinitely.

Add user__is_active=True to the validate_api_token() lookup so a token tied
to a disabled account is treated as invalid (a generic AuthenticationFailed,
avoiding account-state disclosure). Applied to both the external API
middleware (plane/api) and the identical, currently unused copy in
plane/app to prevent the gap from being reintroduced.

Adds unit coverage on validate_api_token and an end-to-end contract test
proving GET /api/v1/users/me/ is denied once the account is deactivated.
2026-06-10 11:36:45 +05:30
sriram veeraghanta
2f7941a17c fix(api): sanitize XLSX export cells to prevent formula injection (#9224)
User-controlled values (work item titles, labels, etc.) were written
raw into openpyxl worksheet cells, so values beginning with = were
stored as live formula cells in exported XLSX files. Apply the same
formula-trigger sanitization already used for CSV exports to XLSX
cell values and header rows in both export formatters, and sanitize
CSV header rows in the porters formatter for parity.
2026-06-10 11:32:13 +05:30
Rahul Cheryala
373f149fdb [GIT-238] refactor: migrate types from apps/web to @plane/types (#9203)
* refactor: migrate types from apps/web to @plane/types

* [WEB-238] resolved lint errors

* [WEB-238] Resolved coderabbit comments
2026-06-09 18:06:08 +05:30
sriram veeraghanta
a1535319e6 chore: integrate react-doctor scanning (#9223)
Add react-doctor for React lint/a11y/perf/architecture diagnostics:
- Add react-doctor devDependency and "doctor" npm script
- Add .claude/skills/react-doctor skill for local triage workflow
- Add GitHub Actions workflow to scan PRs and track health score
2026-06-09 02:02:54 +05:30
sriram veeraghanta
0bbfe95cc7 fix: bump react-router and vitest to resolve Dependabot advisories (#9215)
* fix: bump react-router and vitest to resolve Dependabot advisories

Resolves 6 open Dependabot alerts (all npm, manifest pnpm-lock.yaml):

- react-router 7.12.0 -> 7.15.0 (fixes GHSA-8x6r-g9mw-2r78 [high],
  GHSA-49rj-9fvp-4h2h [high], GHSA-8646-j5j9-6r62 [high],
  GHSA-2j2x-hqr9-3h42 [medium], GHSA-f22v-gfqf-p8f3 [medium])
- vitest 4.0.x -> 4.1.x (fixes GHSA-5xrq-8626-4rwp [critical])

Aligned lockstep siblings to avoid peer-dependency mismatches:
@react-router/dev|node|serve -> 7.15.0, @vitest/coverage-v8 -> ^4.1.0.

Edited catalog entries in pnpm-workspace.yaml and regenerated
pnpm-lock.yaml; verified with pnpm install --frozen-lockfile.

* fix: raise vitest catalog floor to ^4.1.8 to match security advisory

The critical advisory GHSA-5xrq-8626-4rwp is patched in vitest 4.1.8, but
the catalog specifiers were ^4.1.0, which permits resolving to vulnerable
4.1.0-4.1.7. Align the floor with the documented patched version for vitest
and @vitest/coverage-v8 so a future lockfile refresh cannot reintroduce a
vulnerable Vitest stack. Resolved version is unchanged (4.1.8).
2026-06-05 00:51:33 +05:30
sriram veeraghanta
9a30a07cf5 fix(api): enforce workspace membership on GenericAssetEndpoint (#9212)
The public REST API GenericAssetEndpoint (/api/v1/workspaces/<slug>/assets/)
declared no permission class, inheriting only IsAuthenticated. Since
APIKeyAuthentication does not bind a token to a workspace and the workspace is
read straight from the URL slug, any valid Personal Access Token could read
(GET), create (POST), and modify (PATCH) assets in a workspace the caller is
not a member of — a cross-workspace IDOR, the public-API sibling of the
CVE-2026-46558 dashboard asset fix.

Add permission_classes = [WorkspaceUserPermission] so every method requires
active workspace membership, matching the dashboard fix semantics. Also add
contract regression tests covering cross-workspace GET/POST/PATCH (now 403)
and a positive control confirming members retain access.

Also ignore the local /security/ advisory notes folder.
2026-06-04 18:49:39 +05:30