sriram veeraghanta 4fc79a2d7e fix(security): block bot user logins (#9368)
Bot service accounts (User.is_bot=True, e.g. the WORKSPACE_SEED bot) are
internal identities meant to act only through API tokens. Nothing stopped
one from being driven through the interactive login flow if its email was
known, letting a human assume a service identity.

Reject bot accounts at the shared login chokepoint,
Adapter.complete_login_or_signup(), right beside the existing
deactivated-account check. This covers every interactive provider in one
place: email/password, magic code, and all OAuth providers (Google, GitHub,
GitLab, Gitea) across both the app and space surfaces. Bot API-token access
is left untouched, since that is how bots are meant to operate.

Also add a defense-in-depth is_bot guard to InstanceAdminSignInEndpoint,
which mints its own admin session outside the chokepoint (a bot is never an
InstanceAdmin today, so this is not currently reachable, but it closes the
path regardless).

Surface the rejection with a new dedicated error code
BOT_USER_LOGIN_FORBIDDEN (5017), plumbed into the app and space frontend
error helpers as well as the shared @plane/constants and @plane/utils
packages (message map + banner-alert list) so any consumer of the shared
auth-error handler renders it correctly. The admin path reuses the existing
ADMIN_AUTHENTICATION_FAILED code so it discloses no bot-specific error.

Add contract regression tests: a bot blocked via password and via magic
code, a bot blocked at the admin sign-in endpoint, and a non-bot control
that still logs in.
2026-07-08 01:51:37 +05:30



Plane Logo

Modern project management for all teams

WebsiteForumXDocumentation

Plane Screens

Meet Plane, an open-source project management tool to track issues, run sprints cycles, and manage product roadmaps without the chaos of managing the tool itself. 🧘‍♀️

Plane is evolving every day. Your suggestions, ideas, and reported bugs help us immensely. Do not hesitate to join in the conversation on Forum or raise a GitHub issue. We read everything and respond to most.

🚀 Installation

Getting started with Plane is simple. Choose the setup that works best for you:

  • Plane Cloud Sign up for a free account on Plane Cloud—it's the fastest way to get up and running without worrying about infrastructure.

  • Self-host Plane Prefer full control over your data and infrastructure? Install and run Plane on your own servers. Follow our detailed deployment guides to get started.

Installation methods Docs link
Docker Docker
Kubernetes Kubernetes

Instance admins can configure instance settings with God mode.

🌟 Features

  • Work Items Efficiently create and manage tasks with a robust rich text editor that supports file uploads. Enhance organization and tracking by adding sub-properties and referencing related issues.

  • Cycles Maintain your teams momentum with Cycles. Track progress effortlessly using burn-down charts and other insightful tools.

  • Modules Simplify complex projects by dividing them into smaller, manageable modules.

  • Views Customize your workflow by creating filters to display only the most relevant issues. Save and share these views with ease.

  • Pages Capture and organize ideas using Plane Pages, complete with AI capabilities and a rich text editor. Format text, insert images, add hyperlinks, or convert your notes into actionable items.

  • Analytics Access real-time insights across all your Plane data. Visualize trends, remove blockers, and keep your projects moving forward.

🛠️ Local development

See CONTRIBUTING

⚙️ Built with

React Router Django Node JS

📸 Screenshots

Plane Views

Plane Cycles and Modules

Plane Analytics

Plane Pages

📝 Documentation

Explore Plane's product documentation and developer documentation to learn about features, setup, and usage.

❤️ Community

Join the Plane community on GitHub Discussions and our Forum. We follow a Code of conduct in all our community channels.

Feel free to ask questions, report bugs, participate in discussions, share ideas, request features, or showcase your projects. Wed love to hear from you!

🛡️ Security

If you discover a security vulnerability in Plane, please report it responsibly instead of opening a public issue. We take all legitimate reports seriously and will investigate them promptly. See Security policy for more info.

To disclose any security issues, please email us at security@plane.so.

🤝 Contributing

There are many ways you can contribute to Plane:

Please read CONTRIBUTING.md for details on the process for submitting pull requests to us.

Repo activity

Plane Repo Activity

We couldn't have done this without you.

License

This project is licensed under the GNU Affero General Public License v3.0.

Description
🔥 🔥 🔥 Open Source JIRA, Linear, Monday, and Asana Alternative. Plane helps you track your issues, epics, and cycles the easiest way on the planet. plane.so
Readme 467 MiB
Languages
TypeScript 70.2%
Python 25.6%
HTML 2.3%
CSS 0.8%
JavaScript 0.6%
Other 0.5%