mirror of
https://github.com/makeplane/plane.git
synced 2026-07-09 20:10:06 +02:00
* [WEB-8060] fix(security): enforce authz on is_active member (de)activation
ProjectMemberViewSet.partial_update nested every authorization guard inside
`if "role" in request.data:`. Because ProjectMemberSerializer exposes is_active
through fields="__all__" with no read-only, a project GUEST could PATCH
{"is_active": false} while omitting "role" to deactivate any member — including
admins — and take over the project (GHSA-hpgm-9r34-c4x5 / GHSA-25gg-cxm8-g7h9).
Add an independent is_active guard, mirroring the role block and destroy(): only
a project admin (or workspace admin) may (de)activate a member, and never one
whose role is equal to or higher than the requester's own.
Adds contract regression tests covering guest/member deactivation attempts and
the legitimate project-admin path.
Co-authored-by: Plane AI <noreply@plane.so>
* [WEB-8060] test(security): cover workspace-admin is_active bypass
Address Copilot review on #9367: add a positive-control test asserting a
workspace admin holding only a project GUEST role can still deactivate a project
admin (the intended is_workspace_admin bypass), so future changes cannot silently
remove it.
Co-authored-by: Plane AI <noreply@plane.so>
---------
Co-authored-by: Plane AI <noreply@plane.so>