sriram veeraghanta ac11c3ef79 fix: enforce workspace membership on V2 asset endpoints (#8885) ...

WorkspaceFileAssetEndpoint had no authorization checks beyond
authentication, allowing any logged-in user to create, read, patch,
and delete assets in any workspace by slug. DuplicateAssetEndpoint
only authorized the destination workspace, letting users copy assets
from workspaces they don't belong to.

Add @allow_permission decorators to all WorkspaceFileAssetEndpoint
methods and scope DuplicateAssetEndpoint's source asset lookup to
workspaces where the caller is an active member.

Ref: GHSA-qw87-v5w3-6vxx

2026-04-20 15:26:59 +05:30

..

bin

[WEB-5592] chore: add static files update settings for static files support (#8251)

2025-12-09 21:05:26 +05:30

plane

fix: enforce workspace membership on V2 asset endpoints (#8885)

2026-04-20 15:26:59 +05:30

requirements

chore(deps): bump pytest (#8891)

2026-04-14 13:54:04 +05:30

templates

fix: update Twitter icon and links to X (#8785) (#8790)

2026-04-07 15:34:54 +05:30

.coveragerc

chore: rename server to api (#7342)

2025-07-04 15:32:21 +05:30

.env.example

- Add SIGNED_URL_EXPIRATION environment variable (#8136)

2025-12-03 10:52:19 +05:30

.prettierignore

fix: eslint (#8185)

2025-12-05 16:03:51 +05:30

Dockerfile.api

chore: updated node version to 22 and python version to 3.12.10 (#7343)

2025-07-04 16:28:30 +05:30

Dockerfile.dev

chore: rename server to api (#7342)

2025-07-04 15:32:21 +05:30

manage.py

chore: add copyright (#8584)

2026-01-27 13:54:22 +05:30

package.json

chore: version bump

2026-03-31 17:09:35 +05:30

pyproject.toml

[WEB-5044] fix: ruff lint and format errors (#7868)

2025-09-29 19:15:32 +05:30

pytest.ini

chore: rename server to api (#7342)

2025-07-04 15:32:21 +05:30

requirements.txt

chore: rename server to api (#7342)

2025-07-04 15:32:21 +05:30

run_tests.py

chore: add copyright (#8584)

2026-01-27 13:54:22 +05:30

run_tests.sh

chore: rename server to api (#7342)

2025-07-04 15:32:21 +05:30