mirror of
https://github.com/makeplane/plane.git
synced 2026-06-14 03:30:00 +00:00
sriram veeraghanta
9491bdbe46
`ProjectViewSet.partial_update`, `BulkEstimatePointEndpoint.partial_update`, and `WorkspaceUserProfileEndpoint.get` previously fetched objects by primary key alone after a workspace-scoped permission check, allowing an authenticated caller to act on resources belonging to other workspaces by supplying a foreign UUID with their own workspace slug in the URL. - Project partial_update: scope `Project.objects.get` by `workspace__slug`, matching the existing pattern in `destroy`. - Bulk estimate partial_update: scope `Estimate.objects.get` by `workspace__slug` and `project_id`, matching `retrieve` and `destroy`. - Workspace user profile: require the target `user_id` to be an active member of the requested workspace before returning email and other PII.