mirror of
https://github.com/makeplane/plane.git
synced 2026-06-13 19:19:54 +00:00
sriram veeraghanta
9a30a07cf5
The public REST API GenericAssetEndpoint (/api/v1/workspaces/<slug>/assets/) declared no permission class, inheriting only IsAuthenticated. Since APIKeyAuthentication does not bind a token to a workspace and the workspace is read straight from the URL slug, any valid Personal Access Token could read (GET), create (POST), and modify (PATCH) assets in a workspace the caller is not a member of — a cross-workspace IDOR, the public-API sibling of the CVE-2026-46558 dashboard asset fix. Add permission_classes = [WorkspaceUserPermission] so every method requires active workspace membership, matching the dashboard fix semantics. Also add contract regression tests covering cross-workspace GET/POST/PATCH (now 403) and a positive control confirming members retain access. Also ignore the local /security/ advisory notes folder.