[WEB-7776] fix(security): scope FileAsset queries to prevent cross-project IDOR (Cluster F)

[mguptahub]

Summary

Multiple asset endpoints were missing project-level scoping on FileAsset queryset filters, allowing authenticated users to access, mark-uploaded, or restore assets belonging to other projects or workspaces they are not members of.

Fixes applied

Priority	Endpoint	File	Fix
P0	ProjectBulkAssetEndpoint.post	app/views/asset/v2.py	Add project_id=project_id to asset filter
P0	EntityAssetEndpoint.get	space/views/asset.py	Add project_id=deploy_board.project_id
P0	EntityAssetEndpoint.patch	space/views/asset.py	Add project_id=deploy_board.project_id
P1	AssetRestoreEndpoint.post	space/views/asset.py	Add project_id=deploy_board.project_id
P1	FileAssetEndpoint V1 (get/post/delete)	app/views/asset/base.py	Add WorkspaceMember membership check
P1	FileAssetViewSet.restore V1	app/views/asset/base.py	Add WorkspaceMember membership check
P2	WorkspaceFileAssetEndpoint.post	app/views/asset/v2.py	Gate WORKSPACE_LOGO upload on ROLE.ADMIN
P2	DuplicateAssetEndpoint.post	app/views/asset/v2.py	Restrict source asset lookup to same workspace

Advisories addressed

GHSA-r2hw (critical), GHSA-jh4v (high), GHSA-8688 (high), GHSA-3hrj, GHSA-3892, GHSA-3ggg, GHSA-gcpp, GHSA-p57q, GHSA-c68q, GHSA-8chr, GHSA-58qm, GHSA-wrrw, GHSA-j4mj, GHSA-85h2, GHSA-29q3, GHSA-mwh2, GHSA-xrpv and related duplicates.

Test plan

• Upload an asset to Project A, then attempt POST /api/v1/workspaces/{slug}/projects/{projectB_id}/bulk-asset-save/ with the asset ID — should return 404
• On a public board, attempt PATCH /spaces/{anchor}/assets/{asset_from_other_project}/ — should return 404
• On a public board, attempt POST /spaces/{anchor}/assets/{id}/restore/ with asset from a different project — should return 404
• Attempt GET /api/workspaces/{ws_id}/{asset_key} from a user not in the workspace — should return 404
• As MEMBER, attempt POST /api/v1/workspaces/{slug}/file-assets/ with entity_type=WORKSPACE_LOGO — should return 403
• As ADMIN, attempt same call — should succeed
• DuplicateAssetEndpoint: attempt to duplicate an asset from workspace B while calling endpoint in workspace A — should return 404

Co-authored-by: Plane AI noreply@plane.so

Summary by CodeRabbit

Release Notes

• Bug Fixes / Security
  • Asset endpoints now require authenticated users with active workspace membership.
  • Workspace logo uploads are restricted to workspace administrators.
  • Asset lookups were tightened to prevent cross-project access, including bulk updates, duplication, entity asset retrieval/patch, and restore operations.
  • File asset creation and restoration now properly enforce workspace/project scoping and return appropriate errors when targets are invalid or unauthorized.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: af3399d0-053a-4d61-8d82-317a1c3ab105

📥 Commits

Reviewing files that changed from the base of the PR and between ea9ecdf and 70143f8.

📒 Files selected for processing (1)

• apps/api/plane/app/views/asset/base.py

---

📝 Walkthrough

Walkthrough

Asset endpoints now require authenticated workspace membership, workspace-logo uploads are limited to admins, and asset lookups in the workspace and space views are scoped more tightly by workspace and project.

Changes

Asset Authorization Hardening

Layer / File(s)	Summary
Workspace membership guards on FileAssetEndpoint apps/api/plane/app/permissions/__init__.py, apps/api/plane/app/permissions/workspace.py, apps/api/plane/app/views/asset/base.py	WorkspaceMemberPermission is added and re-exported; FileAssetEndpoint and FileAssetViewSet require authenticated workspace membership; FileAssetEndpoint.post resolves the workspace by slug before serializer validation.
Admin gate and asset scoping in v2 endpoints apps/api/plane/app/views/asset/v2.py	WORKSPACE_LOGO uploads require an admin WorkspaceMember; bulk asset lookup adds project_id; duplicated asset lookup is limited to the destination workspace.
Cross-project scoping in space asset endpoints apps/api/plane/space/views/asset.py	EntityAssetEndpoint.get, patch, and AssetRestoreEndpoint.post add project_id to FileAsset lookups.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• pablohashescobar
• dheeru0198
• sangeethailango

Possibly related PRs

• makeplane/plane#9212: Tightens asset endpoint authorization with workspace membership checks on a related asset endpoint flow.

Poem

🐰 I hop by slugs and project gates,
Guarding assets, locked-up states.
Admin ears for logos high,
Scoped by workspace, safe and spry.
In the warren, doors now heed
Membership keys for every deed.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: scoping FileAsset queries to prevent cross-project IDOR.
Description check	✅ Passed	The description includes a clear summary, detailed fixes, advisories, and test plan, so it largely satisfies the template.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7776/fix-asset-idor

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7776) fix(security): Asset IDOR — scope FileAsset queries to workspace + project (Cluster F)

This comment was auto-generated by Plane

[dheeru0198]

@mguptahub Let's use permission class for this

[dheeru0198]

the below changes can be removed after adding permisison class to the view

[mguptahub]

Done — added WorkspaceMemberPermission to plane/app/permissions/workspace.py. It resolves the workspace via workspace_id (UUID) or slug kwarg, covering both URL patterns on this endpoint. FileAssetEndpoint and FileAssetViewSet now declare permission_classes = [IsAuthenticated, WorkspaceMemberPermission] and all inline membership checks have been removed.

[mguptahub]

Removed — all inline WorkspaceMember checks are gone from get, post, delete, and restore. The permission class handles enforcement before the method body runs.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/api/plane/app/views/asset/base.py`:
- Line 20: The missing-workspace 404 path in FileAssetEndpoint.post() is
unreachable because WorkspaceMemberPermission rejects unknown slugs before the
view logic runs. Update the permission flow used by BaseView/FileAssetEndpoint
so workspace existence is checked there, or remove/adjust the
Workspace.objects.filter(slug=slug).first() 404 branch and its expectation to
match the actual authorization behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1c30b2a9-b03a-4974-95b2-28e10003facc

📥 Commits

Reviewing files that changed from the base of the PR and between e063c2c and ea9ecdf.

📒 Files selected for processing (3)

• apps/api/plane/app/permissions/__init__.py
• apps/api/plane/app/permissions/workspace.py
• apps/api/plane/app/views/asset/base.py

✅ Files skipped from review due to trivial changes (1)

• apps/api/plane/app/permissions/init.py