Files
plane/apps/api
Manish Gupta 28ae25b564 [WEB-7847] fix: enforce workspace membership on entity-search endpoint (#9296)
* fix: enforce workspace membership on entity-search endpoint (GHSA-32q3-mqpc-3mhv)

SearchEndpoint required authentication but did not verify the requesting user
was a member of the queried workspace. Any authenticated Plane user could
enumerate members across workspaces they don't belong to by guessing slugs.

Add a WorkspaceMember guard at the top of get() — returns 403 if the user is
not an active member of the target workspace. Brings OSS to parity with EE,
which already had this protection via @can(WorkspacePermissions.VIEW).

Co-authored-by: Plane AI <noreply@plane.so>

* refactor(security): replace inline WS membership check with WorkspaceUserPermission

Use the existing WorkspaceUserPermission permission class on SearchEndpoint
instead of a manual WorkspaceMember.objects.filter() guard inside the
method body. Enforcement behaviour is unchanged (GHSA-32q3-mqpc-3mhv).

Co-authored-by: Plane AI <noreply@plane.so>

---------

Co-authored-by: Plane AI <noreply@plane.so>
2026-06-30 18:35:10 +05:30
..
2025-12-05 16:03:51 +05:30
2026-01-27 13:54:22 +05:30
2026-01-27 13:54:22 +05:30