Skip to content

[pull] preview from makeplane:preview#55

Merged
pull[bot] merged 1 commit into
SMURF4096:previewfrom
makeplane:preview
Jun 4, 2026
Merged

[pull] preview from makeplane:preview#55
pull[bot] merged 1 commit into
SMURF4096:previewfrom
makeplane:preview

Conversation

@pull

@pull pull Bot commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@sriramveeraghanta
fix(api): enforce workspace membership on GenericAssetEndpoint (#9212)
9a30a07 
The public REST API GenericAssetEndpoint (/api/v1/workspaces/<slug>/assets/)
declared no permission class, inheriting only IsAuthenticated. Since
APIKeyAuthentication does not bind a token to a workspace and the workspace is
read straight from the URL slug, any valid Personal Access Token could read
(GET), create (POST), and modify (PATCH) assets in a workspace the caller is
not a member of — a cross-workspace IDOR, the public-API sibling of the
CVE-2026-46558 dashboard asset fix.

Add permission_classes = [WorkspaceUserPermission] so every method requires
active workspace membership, matching the dashboard fix semantics. Also add
contract regression tests covering cross-workspace GET/POST/PATCH (now 403)
and a positive control confirming members retain access.

Also ignore the local /security/ advisory notes folder.
@pull pull Bot locked and limited conversation to collaborators Jun 4, 2026
@pull pull Bot added the ⤵️ pull label Jun 4, 2026
@pull pull Bot merged commit 9a30a07 into SMURF4096:preview Jun 4, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sriramveeraghanta