fix(spreadsheet): apply active sort order to sub-task rows#9326
Open
codewithsupra wants to merge 60 commits into
Open
fix(spreadsheet): apply active sort order to sub-task rows#9326codewithsupra wants to merge 60 commits into
codewithsupra wants to merge 60 commits into
Conversation
Bumps the npm_and_yarn group with 1 update in the /packages/tailwind-config directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.5.6 to 8.5.10 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.10) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.10 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: filter out soft-deleted states from API endpoints - Add deleted_at__isnull=True filter to StateListCreateAPIEndpoint.get_queryset() - Add deleted_at__isnull=True filter to StateDetailAPIEndpoint.get_queryset() - Prevents soft-deleted states from reappearing in UI after navigation - Fixes makeplane#8829 * Fix: exclude issues linked to soft-deleted states
Drop four overrides that no package in the workspace depends on (direct or transitive): js-yaml, happy-dom, tar-fs, and @isaacs/brace-expansion. Verified against pnpm-lock.yaml — no resolved entries existed, so the overrides were dead weight.
…eplane#9008) `ProjectViewSet.partial_update`, `BulkEstimatePointEndpoint.partial_update`, and `WorkspaceUserProfileEndpoint.get` previously fetched objects by primary key alone after a workspace-scoped permission check, allowing an authenticated caller to act on resources belonging to other workspaces by supplying a foreign UUID with their own workspace slug in the URL. - Project partial_update: scope `Project.objects.get` by `workspace__slug`, matching the existing pattern in `destroy`. - Bulk estimate partial_update: scope `Estimate.objects.get` by `workspace__slug` and `project_id`, matching `retrieve` and `destroy`. - Workspace user profile: require the target `user_id` to be an active member of the requested workspace before returning email and other PII.
…or (makeplane#8935) X-Forward-For is not a real HTTP header — the standard is X-Forwarded-For. With the typo, Nginx never replaces $remote_addr with the actual client IP, so rate limiting and IP logging see the proxy IP instead of the real client. Affects all three nginx configs (web, admin, space).
…tes (GHSA-x63v-p7wc-47x4) (makeplane#9014) is_workspace_admin in ProjectMemberViewSet.partial_update was derived from the target member's workspace role, not the requester's. When the target happened to be a workspace admin, all three project-role guards (L231/238/247) were bypassed regardless of who was making the request, allowing a non-admin requester to re-role a workspace admin's project membership. Compute is_workspace_admin from the requester instead and keep the target's workspace role under a distinct name for the existing new-role-vs-workspace-role cap.
…9044) * chore: update completed_at logic updation in Issue save method * fix: update error handling Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com> * fix: use StateGroup Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…eplane#8898) * refactor(i18n): migrate packages/i18n from MobX to react-i18next with per-feature namespaces Replaces the internals of packages/i18n with react-i18next while preserving the identical public API. Consumer code using useTranslation() and TranslationProvider requires no changes. Translation file format: TS objects to JSON namespaces - Converted TypeScript translation files (19 languages) into feature-based JSON namespace files - Split the monolithic translations.ts into per-feature namespace files: workspace.json, project.json, work-item.json, cycle.json, inbox.json, etc. - 30 community namespaces across 19 languages = 570 JSON files Core runtime: MobX to i18next - Replaced MobX TranslationStore with an i18next instance using i18next-icu (preserves ICU MessageFormat) and i18next-resources-to-backend (namespace lazy loading) - useTranslation() and TranslationProvider keep identical signatures - All namespaces pre-loaded during init for the current language to prevent re-render cascades - Reads saved language from localStorage before init for faster first paint Build tooling - scripts/generate-types.ts: Reads English JSON files and outputs keys.generated.ts with a flat union of translation keys (runs before every build) - scripts/sync-check.ts: Cross-locale missing/stale key detection, cross-namespace collision detection, path conflict detection (supports --ci mode) App-level changes - Removed useTranslation-based language sync effect from store-wrapper - Language is now synced imperatively from profile.store (fetchUserProfile, updateUserProfile) and root.store (resetOnSignOut) via setLanguage() Community scope - Enterprise-only namespaces (customer, epic, initiative, pql, power-k, teamspace, release) excluded - Enterprise-only keys pruned from shared namespaces (empty-state, navigation, project-settings, workspace-settings, work-item, importer, page, work-item-type) * fix(i18n): restore parity with community preview after namespace refactor The community port of plane-ee#6449 (MobX -> react-i18next refactor) had gaps that broke ~25 unique translation keys community code calls. This commit restores parity: - Port power-k namespace (19 locales) from plane-ee, stripped of EE-only paths (initiative/customer/teamspace/dashboards/AI assistant). Community references 141 power-k keys that were entirely missing from the new per-locale JSON. - Restore epic.* keys (8 leaves) into work-item.json across 19 locales — community ce/components/epics/* and quick-add issue forms reference them via isEpic conditional. - Add 'date' leaf to common.json across 19 locales (sourced from work_item_types.settings.properties.property_type.date.label so the proper translation, not English, is used). - Move exporter.* subtree from importer.json to common.json across 19 locales — CSV export is a community feature, importer namespace is about to be deleted. - Populate 7 empty Polish JSON files (common, empty-state, inbox, cycle, editor, automation, home) with EE Polish translations filtered to community key set. The community port committed these as 0-byte files. - Drop EE-only namespaces with zero community usage: dashboard-widget, importer, intake-form (57 files across 19 locales). - Update NAMESPACES const: drop the 3 deleted namespaces, add power-k. - Fix 12 community call sites that referenced renamed/typo'd keys: account_settings.api_tokens.heading -> .title auth.common.password.toast.error.* -> .change_password.error.* sign_out.toast.error.* -> auth.sign_out.toast.error.* notification.toasts.un_snoozed -> .unsnoozed profile.stats.priority_distribution.priority -> common.priority projects.label -> common.projects progress -> common.progress epics -> common.epics creating_theme -> common.saving (no localized source available) toast.error (with trailing space typo) -> toast.error Verified: every literal t(...) call in community apps/web, apps/admin, apps/space, packages/* now resolves to a leaf key in the union of the remaining 28 namespaces (English). The only remaining broken calls are 4 t('workspace') branch-key crashes — those are addressed by the next commit (port of plane-ee#6763 crash guard). Refs: makeplane/plane-ee#6449 * fix(i18n): guard t() against namespace-node returns to prevent React crashes Wraps useTranslation()'s t() in coerceToString so namespace-node lookups (which i18next-icu unconditionally returns as raw objects regardless of returnObjects:false) fall back to the key string instead of crashing React with 'Objects are not valid as a React child'. Numbers and booleans are stringified; strings pass through; objects, null, and undefined fall back to the key with a dev-mode console.warn pointing to the bad call site. Production builds suppress the warning but keep the guard. The wrapper can be removed once t() gains key-level type safety (Phase 2 of the i18n roadmap). Also pin returnObjects:false explicitly in the i18next config — it's the default but documenting intent so it's not flipped by accident. Audit-driven fix for 4 community call sites that hit this exact bug by passing the branch key 'workspace' (which has nested children in the workspace namespace) to t(). Switched to t('common.workspace') (existing leaf with value 'Workspace'). Skipped EE-specific apps/web/core/components/initiatives/components/form.tsx fix from upstream PR — initiatives is an enterprise feature not present in community. Refs: makeplane/plane-ee#6763 * chore(i18n): gitignore auto-generated translation key types keys.generated.ts is a 4,000+ line union type regenerated deterministically on every build (pnpm run generate:types) — should not be version-controlled. Adding the file to .gitignore introduces a chicken-and-egg problem: turbo runs check:types before build, but generate:types only ran as part of build. On a fresh clone with no keys.generated.ts present, tsc --noEmit fails. Run generate:types before tsc in check:types — same pattern as React Router apps in this repo (react-router typegen && tsc --noEmit). - Add packages/i18n/src/types/keys.generated.ts to root .gitignore - Untrack the file from git (git rm --cached) - Run generate:types before tsc in check:types Verified: deleting keys.generated.ts and running check:types regenerates the file correctly. After regeneration, git status shows the file remains untracked (.gitignore is honored). Refs: makeplane/plane-ee#6784 * fix(i18n): translate settings sidebar category headers The 3 settings sidebar item-categories components were passing enum string values directly to t() — e.g. t('your profile'), t('work-structure'), t('administration'). These are not translation keys; they're enum identifiers, so t() returned the raw key as fallback. Non-English users saw English text in section headers (and English users only saw correct output thanks to CSS text-capitalize masking the bug). Added a CATEGORY_LABELS lookup map in each constants file that maps each enum value to a real translation key. Components now call t(LABELS[category]) instead of t(category). - Added 5 new keys to en/common.json common.* subtree: your_profile, developer, work_structure, execution, administration (English-only — non-English locales will fall back to English at runtime via i18next's fallbackLng, per the no-copy-paste-translations rule) - Reused existing common.general and common.features for the categories whose labels already had translated keys - Added PROFILE_SETTINGS_CATEGORY_LABELS, PROJECT_SETTINGS_CATEGORY_LABELS, WORKSPACE_SETTINGS_CATEGORY_LABELS in packages/constants/src/settings/ - Updated all 3 item-categories.tsx components Found via comprehensive dynamic-key audit (1918 t() invocations classified across literal, template-literal, property-access, conditional, function-call, and identifier patterns). Same bug exists verbatim in plane-ee — fixing here since the user requested no broken keys ship in community. * chore: untrack Claude Code runtime lockfile .claude/scheduled_tasks.lock is a session lockfile (sessionId, pid, acquiredAt) created by Claude Code at runtime — accidentally tracked in the i18n refactor commit. Untrack from git; the file stays on disk for the running session. * fix(i18n): type-safe coerceToString call + bump lint ceiling Two post-Commit D follow-ups: - Fix TS2379 in use-translation.ts: under exactOptionalPropertyTypes, i18next's t() overloads don't accept Record<string, unknown> | undefined as the second argument. Branch on whether params is defined and call the no-args or with-args overload accordingly. - Bump @plane/i18n check:lint --max-warnings from 2 to 9. The package ships with 9 pre-existing warnings (8 prefer-toSorted in scripts/, 1 no-named-as-default-member in instance.ts on a line untouched by my changes). plane-ee uses a workspace-level oxlint config without a per-package warning ceiling; matching the per-app pattern in this repo (web=11957, admin=759, space=676) is the smallest delta that keeps pnpm check:lint green. Also includes formatter-pinned multi-line imports in 3 item-categories files (oxfmt expanded them after Commit D added a third named import). * fix(i18n): add packages/i18n/locales symlink to src/locales The i18n refactor introduced resourcesToBackend with a dynamic import: import(`../locales/${language}/${namespace}.json`) That path is relative to the source file's location. From src/core/instance.ts it correctly resolves to src/locales/. But after tsdown bundling, the same import call lives in dist/index.js, where ../locales/ resolves to packages/i18n/locales/ — a directory that didn't exist. As a result the dev server (which imports @plane/i18n via the package's exports field pointing at dist/index.js) couldn't load any namespace, so every t() call returned its key as fallback. Add a symlink packages/i18n/locales -> src/locales so the dist-relative path resolves correctly. Same fix plane-ee uses (verified: identical blob mode 120000, SHA a4829b5). Keeps tsdown.config.ts and package.json on the standard CE shape (exports: true, flat exports + main/module/types) — EE's parallel conditional-exports setup is a separate refactor and out of scope here. * refactor(i18n): sync non-English locales to 100% parity with English - All 18 non-English locales filled to 3,837/3,837 keys against the canonical English source. Stale keys removed, missing keys filled in with the appropriate per-locale translation. - New scripts/lib/locale-io.ts module shared between sync-check and future tooling. readJsonFile() wraps JSON.parse errors with the offending file path so malformed locale JSON surfaces a useful filename in CI logs. - New .github/workflows/i18n-sync-check.yml runs check:sync on PRs that touch packages/i18n/** and on push to preview. Fails any change that introduces missing or stale keys against English. - Pin tsx@4.20.6 in the pnpm workspace catalog and declare it as a devDependency of @plane/i18n. Replace npx tsx@4.19.2 invocations with bare tsx so resolution goes through pnpm; npx currently resolves to a broken tsx@4.21.0 that pulls an unpublished esbuild range. --------- Co-authored-by: Prateek Shourya <prateekshourya29@gmail.com>
…ectMember (makeplane#8966) * test(api): add regression tests for create-project endpoint Cover three scenarios: - project_lead set to the creator's own user_id - project_lead set to a different workspace member - project_lead omitted (baseline) The first two currently fail on preview because of a UUID coercion bug in ProjectMember.objects.create — see follow-up commit. * fix(api): pass project_lead_id (not User instance) when creating ProjectMember The create-project endpoint built a ProjectMember row with member_id=serializer.instance.project_lead, which resolves to a User instance via Django's related descriptor instead of a UUID. Django's UUIDField coercion then fails with AttributeError: 'User' object has no attribute 'replace', which the generic exception handler converts to a 400 "Please provide valid detail" — but only after the Project row was already persisted, leaving an orphaned project without default states. Fix: - Use project_lead_id (FK ID, no descriptor lookup) on both the guard comparison and the ProjectMember creation. - Wrap the post-save flow in transaction.atomic() so any future exception triggers a clean rollback. - Defer model_activity.delay() with transaction.on_commit() so the activity log only fires after a successful commit. - Capture the exception with log_exception() in the generic catch so future regressions surface in api logs. Note: a related data integrity issue exists where ProjectCreateSerializer doesn't create a ProjectIdentifier row (unlike its frontend counterpart). Out of scope here, will follow up in a separate PR. * fix(api): return 500 on unexpected errors and harden project create Address review feedback from @sriramveeraghanta on PR makeplane#8966: - The catch-all `except Exception` now returns 500 instead of 400. Reusing the generic 400 response on a server-side crash was the anti-pattern that hid the original ghost-create bug for nine months; a 500 lets clients distinguish between "bad input" and "server fault". - The `IntegrityError` branch no longer falls through silently when the message is unrecognised. It re-raises so the catch-all `except` logs the exception and returns a 500. - `transaction.on_commit()` now schedules `model_activity.delay` via `functools.partial` instead of a lambda, avoiding late-binding closure semantics. - `ProjectCreateSerializer.validate()` now rejects `project_lead` values that are not active workspace members, surfacing the error under the `project_lead` field key (rather than as `non_field_errors`) so API clients can react programmatically. * test(api): harden assertions and cover rollback / workspace-membership Address review feedback from @sriramveeraghanta on PR makeplane#8966: - The three existing tests now look up the created project via `Project.objects.get(id=response.data["id"])` instead of `.first()`. The assertion now fails for the right reason if the wrong project is returned by the endpoint. - New `test_create_project_with_lead_not_in_workspace_returns_400` guards the workspace-membership validation added to `ProjectCreateSerializer.validate()`. Expects a 400 with a field-shaped error and zero rows persisted. - New `test_model_activity_not_called_on_rollback` locks in the `transaction.on_commit()` semantics: when an exception is raised inside the atomic block (forced via mocking `State.objects.bulk_create`), the response is 500, no Project / ProjectMember / State rows are persisted, and the deferred `model_activity.delay` task is never dispatched. This prevents a future refactor from silently regressing the rollback contract. * fix(api): mark on_commit dispatch as robust against broker failures Address coderabbit re-review feedback on PR makeplane#8966. Without robust=True, an exception raised by model_activity.delay (e.g., a Celery broker outage) propagates out of the on_commit callback and is caught by the outer `except Exception` handler, which returns a 500 despite the project, ProjectMember rows and default States having already been committed. The client sees a 500 and assumes the create failed — the same class of mismatch between actual state and reported status that the original bug exhibited, just at the post-commit phase. Set robust=True so Django logs the dispatch failure internally via the standard transaction logger and the response stays 201, reflecting the persisted state. Switch from `functools.partial` to a nested function (`_dispatch_model_activity`) for the on_commit callable. Django's robust on_commit logging path reads `func.__qualname__` to format the error message; `partial` objects lack that dunder by default, and the `functools.update_wrapper` workaround turns out to be brittle when the wrapped callable is replaced by a Mock (which the new regression test relies on). A nested function exposes `__qualname__` natively, and the locals it closes over are bound at definition time and never rebound before the callback fires, so the late-binding-closure motivation for `partial` over `lambda` does not apply here. A new test, test_response_still_201_when_broker_dispatch_fails, mirrors test_model_activity_not_called_on_rollback to lock in the post-commit branch. It uses `@pytest.mark.django_db(transaction=True)` so the surrounding test transaction is actually committed and the `on_commit` callback fires (the default wrapper suppresses it via rollback). * fix(api): handle unrecognised IntegrityError consistently Address coderabbit re-review feedback on PR makeplane#8966. The previous fix used `raise` inside the IntegrityError handler with the intent of "letting the catch-all `except Exception` below log it and return 500". Coderabbit correctly flagged that `raise` exits the try/except entirely — sibling except clauses don't fire — so unrecognised integrity errors actually skipped `log_exception` and the consistent 500 JSON shape, contradicting the stated intent. Replicate the catch-all behaviour inline: log the exception via `log_exception(e)` and return the same generic 500 response with `{"error": "An unexpected error occurred"}`. The client now gets a uniform error shape regardless of which `except` branch handled it. --------- Co-authored-by: Jose Antonio Martinez <257598434+jamartineztelecoengineer84-dotcom@users.noreply.github.com>
makeplane#9024) * fix: comment quick-actions menu hidden when no actions are available * refactor: remove dead code
…ne#9099) The community AIO Dockerfile declared the VOLUME instruction with single quotes: VOLUME ['/app/data', '/app/logs']. Docker's JSON (exec) form requires double quotes; with single quotes the line is parsed as the shell form and the bracket/comma tokens become literal volume paths ('[/app/data,' and '/app/logs]'). Docker tolerated these non-absolute anonymous volume paths at container create time until Engine 29.5.0, which now rejects them with "invalid mount config for type volume: invalid mount path: '[/app/data,' mount path must be absolute", breaking `docker compose up --force-recreate` and any container recreation for the AIO community image. Switching to the valid JSON array form fixes the parsing.
…9094) * fix(web): fallback when requestIdleCallback is unavailable * refactor: improve idle task scheduling safety in render-if-visible
The webhook dispatcher validated webhook.url before posting but called requests.post() without allow_redirects=False, so a webhook destination could return a 3xx redirect to an internal address (cloud metadata, internal services) and have the worker fetch it and persist the response body to webhook_logs, readable back via the webhook-logs API. Pass allow_redirects=False so the original validate_url() guard is authoritative. Matches the pattern already used by safe_get() in work_item_link_task.py and the behavior of GitHub/Stripe/Slack webhooks.
…ane#9138) * chore(api): add docker compose test runner Adds docker-compose-test.yml at the repo root that boots an isolated postgres / valkey / rabbitmq / minio stack with health checks and tmpfs data dirs, then runs pytest against it and exits. Includes a usage doc under apps/api/tests/RUNNING_TESTS.md and a pointer in AGENTS.md. Prereq: ./setup.sh (generates apps/api/.env). Usage: docker compose -f docker-compose-test.yml up --build \ --abort-on-container-exit --exit-code-from api-tests docker compose -f docker-compose-test.yml down -v * fix(api): correct bugs surfaced by the pytest suite Five small bugs caught by enabling the pytest contract suite end-to-end. Each is independently justifiable: - api/serializers/cycle.py + api/views/cycle.py: CycleCreateSerializer.validate required project_id in the request body, but the view only ever passes it through the URL kwarg. Cycle create/update via the public API was returning 400 "Project ID is required". Read project_id from serializer context (passed by the view) in addition to body/instance. - app/views/api.py: ApiTokenEndpoint.get(pk) and patch(pk) did not filter out is_service=True tokens, so a user could read and modify service tokens through the user token endpoint. The list mode and delete already filter is_service=False; aligned the other two. - bgtasks/work_item_link_task.py: validate_url_ip checked hostname before scheme, so file:///etc/passwd raised "No hostname found" instead of the documented "Only HTTP and HTTPS" error. Swapped the order so the scheme guard matches the docstring intent. - utils/path_validator.py: get_allowed_hosts used `WEB_URL or APP_BASE_URL` so when both are configured to different hosts (the standard local setup: WEB_URL=:8000, APP_BASE_URL=:3000), only one was added to the allow-list. Redirects to APP_BASE_URL then had their next_path stripped because the host wasn't allowed. Include every configured base URL. * chore(api): align pytest tests with current behavior, clear warnings Test-side fixes paired with the product fixes in the previous commit, plus deprecation cleanup that drops the test run from 104 warnings to 0. Tests: - tests/contract/api/test_cycles.py: project fixture sets cycle_view=True; the Project model defaults the flag to False, so cycle create/update always tripped "Cycles are not enabled for this project". - tests/contract/app/test_authentication.py: next_path uses "/workspaces" (validate_next_path rejects values without a leading slash and returns empty, which dropped the path from the redirect URL). - tests/unit/bg_tasks/test_copy_s3_objects.py: mocked sync_with_external_service now returns description_json; the task unconditionally writes the value back to the Issue, and Issue.description_json is NOT NULL on UPDATE. - tests/unit/utils/test_url.py: three length-limit tests placed the URL at char 970+ on a single line, which contains_url truncates away as ReDoS defense (500-char per-line cap). Restructured to keep test intent intact while staying inside the per-line window. Warning cleanup (104 → 0): - settings/common.py: removed USE_L10N=True (deprecated in Django 4.0, removed in 5.0; default is True). - celery.py, settings/local.py, settings/production.py: pythonjsonlogger moved jsonlogger → json; update the import / formatter path.
…ne#9146) - Replace flat pr-description.md / release-notes.md with per-skill folders - Add new branch-name and translate skills - Update release-notes skill to match the GitHub Releases format (v1.2.0)
* fix: harden API token handling against rate-limit tampering and plaintext logging - Make `allowed_rate_limit` read-only on APITokenSerializer so users can no longer raise their own API token rate limit via PATCH (GHSA-xfgr-2x3f-g2cf). - Stop persisting API keys in plaintext in APITokenLogMiddleware: store a SHA-256 hash as the token identifier and redact sensitive request headers (X-Api-Key, Authorization, Cookie) before logging (GHSA-r5p8-cj3q-38cc). * refactor: remove MongoDB log sink and add per-log-type retention Logs are now written to and cleared from PostgreSQL only; MongoDB is no longer used as a log sink or archive. - Drop the MongoDB write/archival paths from the API request logger, the webhook log writer, and the cleanup tasks; Postgres is the sole sink. - Cleanup tasks now hard-delete expired rows in batches via `all_objects` (rows are removed immediately, not soft-deleted). - Add env-backed, per-log-type retention settings: API activity logs (API_ACTIVITY_LOG_RETENTION_DAYS, default 14), webhook logs (WEBHOOK_LOG_RETENTION_DAYS, default 14), email logs (EMAIL_LOG_RETENTION_DAYS, default 7). HARD_DELETE_AFTER_DAYS no longer drives any log cleanup. - Delete settings/mongo.py, remove MONGO_DB_* settings and the plane.mongo loggers, and drop the pymongo dependency. * chore: gitignore local advisories.md notes file * fix: use keyed HMAC-SHA256 for API token log identifier Address CodeQL "weak hashing of sensitive data" by hashing the API key with a SECRET_KEY-keyed HMAC instead of a bare SHA-256. The identifier is a non-reversible tokenization of a high-entropy key (not password storage); keying it also prevents precomputing the digest from a known key value. * chore: address review feedback on log cleanup and request logging - process_logs accepts extra kwargs so jobs enqueued by an older release (with a mongo_log arg) don't fail during a rolling deploy. - Log-cleanup batch delete failures are logged and skipped rather than aborting the run, so a single bad batch can't block the rest. - Extend logger middleware test to assert Authorization and Cookie headers are redacted; add a test that a failing cleanup batch is swallowed. * fix: fall back to default when a log retention env value is invalid Negative (or unparseable) retention values would compute a future cutoff and delete every log row. The retention settings now fall back to their defaults in that case via a shared `_retention_days` helper.
…akeplane#9147) * chore: bump turbo to 2.9.14, migrate pnpm config to workspace yaml - Bump turbo from 2.9.4 to 2.9.14 in root package.json and the four production Dockerfiles (web, live, admin, space). - Move pnpm.overrides, onlyBuiltDependencies, and ignoredBuiltDependencies from package.json into pnpm-workspace.yaml. pnpm v10+ no longer reads the pnpm field in package.json, so the full overrides block and most of onlyBuiltDependencies were being silently ignored. - Add @plane/utils as a workspace dependency to the live server. * chore: drop unused allowBuilds block, bump lodash-es to 4.18.1 - Remove the `allowBuilds` block from pnpm-workspace.yaml. It is not a recognized pnpm v10/v11 key and its values were inconsistent with the actual `onlyBuiltDependencies` / `ignoredBuiltDependencies` configuration. - Bump `lodash-es` catalog entry from 4.18.0 to 4.18.1. With overrides now applied workspace-wide, 4.18.0 (marked deprecated as a "bad release") was being enforced everywhere. * fix: use pnpm v11 allowBuilds in place of removed legacy keys `onlyBuiltDependencies` and `ignoredBuiltDependencies` were removed in pnpm v11. They were being silently ignored on this branch, which caused `ERR_PNPM_IGNORED_BUILDS` to fail CI under `--frozen-lockfile`. Replace them with the v11-native `allowBuilds:` block, mapping the previous allowlist to `true` and the previous denylist (sharp) to `false`. Locally verified that the build scripts for @parcel/watcher, @swc/core, esbuild, and msgpackr-extract now run on install.
makeplane#9156) * [WEB-7447] feat: migrate CE telemetry from OTLP traces to OTLP metrics Replace span-based tracing (tracer.py) with OTLP observable gauges, mirroring the approach already used in plane-ee. Key changes: - Add otlp_endpoints.py — shared gRPC/HTTP endpoint helpers - Add telemetry_metrics.py — push_instance_metrics task using MeterProvider + observable gauges (service name: plane-ce-api) - User count excludes bots (is_bot=False) - Page count excludes bot-owned private pages only - Domain derived from WEB_URL env var - Celery beat entry replaced with timedelta schedule + configurable METRICS_PUSH_INTERVAL_MINUTES (default 360 min) - Add explicit opentelemetry-exporter-otlp-proto-grpc dep - Delete tracer.py and telemetry.py (no longer needed) Co-authored-by: Plane AI <noreply@plane.so> * fix: address review comments on CE telemetry metrics - harden grpc_endpoint_from_url for scheme-less OTLP_ENDPOINT values (e.g. "telemetry.plane.so:4317") by prepending "//" before urlparse - fix WEB_URL domain extraction for scheme-less values with same approach - replace N+1 workspace count queries (6×N) with 6 batched annotate(Count) aggregation queries — reduces DB load significantly at WORKSPACE_METRICS_LIMIT - add deterministic ordering (order_by created_at) to workspace slice - harden METRICS_PUSH_INTERVAL_MINUTES env parsing with try/except guard and positive-value validation to avoid crash on malformed input Co-authored-by: Plane AI <noreply@plane.so> * fix: cap METRICS_PUSH_INTERVAL_MINUTES to prevent timedelta overflow Add upper-bound check (10_000_000 minutes) and catch OverflowError alongside ValueError so an arbitrarily large env value cannot crash worker startup via timedelta(minutes=...) OverflowError. Co-authored-by: Plane AI <noreply@plane.so> --------- Co-authored-by: Plane AI <noreply@plane.so>
* fix(web): add Safari fallback for requestIdleCallback * fix(web): use globalThis in idle-task fallbacks Switch idle-task fallback paths from window.* to globalThis.* so the fallback no longer crashes in environments where window is undefined. Also thread IdleRequestOptions through requestIdleFallback so the caller's timeout hint is honored when falling back. Addresses CodeRabbit review feedback on makeplane#9137. --------- Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>
…token throttle (makeplane#9161) - Define API_KEY_RATE_LIMIT in plane/settings/common.py and read it via django.conf.settings in ApiKeyRateThrottle instead of os.environ. - Remove ServiceTokenRateThrottle and the service-token branch in BaseAPIView.get_throttles; all API key requests now go through ApiKeyRateThrottle.
makeplane#9163) * fix(api): harden webhook & link-unfurl SSRF (advisory clusters A/B/C) Resolves three overlapping SSRF advisory clusters around webhook delivery and work-item link unfurling: - Cluster A (private-IP validation + PATCH bypass): the webhook PATCH handler passed context={request: request} (the request object as the dict key) so the loopback/disallowed-domain guard silently no-op'd — now context={"request": request}. Hardened IP classification (is_blocked_ip) to also block multicast, unspecified, CGNAT (100.64.0.0/10), and IPv4 embedded in IPv6 transition addresses (IPv4-mapped, NAT64, 6to4, Teredo), robust across Python versions. - Cluster B (DNS-rebinding TOCTOU): validators resolved DNS, then requests resolved it again at connect time. New pinned-IP client (plane/utils/url_security.py) resolves+validates once and connects to the validated IP literal so urllib3 performs no second lookup, while preserving Host header, TLS SNI and certificate verification against the real hostname. - Cluster C (redirect SSRF): webhook delivery never follows redirects; the link crawler follows them manually, re-resolving + re-validating + re-pinning every hop. Also: pin requests==2.33.0 in base.txt (imported directly; the pinning adapter needs the >=2.32 get_connection_with_tls_context hook), and log webhook URL-validation rejections to WebhookLog instead of swallowing them. Tests: new test_url_security.py (pinning, rebinding, redirect re-validation, IP edge cases, TLS SNI) + updated link-task tests. Full unit suite: 178 passed. * fix(api): block OAuth avatar SSRF + add per-advisory SSRF regression tests Verified every SSRF-class advisory against the current code. The webhook / link / favicon reports — including the published CVE-2026-30242 and CVE-2026-39843 and the newer "still bypassable" reports (DNS rebinding GHSA-3856/-fgcv/-9292/-whh3/-4mjx/-6p39/-fv24/-8wvv, IP-classification gaps GHSA-75fg, redirect GHSA-6v37/-jw6g/-mq87) — are resolved by the pinned-IP client + hardened classifier in this branch. The one SSRF family still unresolved was the OAuth avatar path: download_and_upload_avatar() fetched the provider-supplied avatar_url with a raw requests.get (no IP validation, default redirect following), so an attacker-controlled avatar could reach internal addresses and be exfiltrated via the static-asset endpoint (GHSA-cv9p-325g-wmv5, and the avatar hop of the Gitea SSRF GHSA-hx79-5pj5-qh42). It now uses pinned_fetch_following_redirects, which validates + pins every hop and blocks internal targets. Adds test_ssrf_advisories.py: a per-advisory regression map covering webhook IP validation, the PATCH context-key guard, webhook DNS rebinding, webhook redirect, favicon redirect + rebinding, and OAuth avatar SSRF. docker compose test: 199 unit tests pass. * fix(api): address PR review feedback on the SSRF pinned client - url_security: preserve URL-embedded credentials (user:pass@host) as Basic Auth instead of silently dropping them when rewriting to the IP literal (Copilot); bracket IPv6-literal hostnames in the Host header (Copilot); add stream=True support that keeps the session open until the response is closed, and release intermediate redirect hops. - ip_address / work_item_link_task: treat UnicodeError (IDNA failures) from getaddrinfo as a resolution failure, not an uncaught exception (CodeRabbit). - authentication/adapter/base: stream the avatar download so the size cap actually bounds memory, upload the size-bounded buffer (not response.content), and always close the response (CodeRabbit, major). - tests: cover auth preservation, IPv6 Host bracketing, IDNA handling, and streamed session lifetime; drop an unused import. docker compose test: 204 unit tests pass.
Centralize every external dependency version in the pnpm catalog (pnpm-workspace.yaml) and reference them via `catalog:` across all apps and packages. Packages that previously used differing versions were unified to the highest (notably @react-pdf/renderer ^3.4.5 -> ^4.3.0 in apps/web).
…makeplane#9179) * fix(api): return HTTP response from dispatch() exception handler BaseAPIView.dispatch() and BaseViewSet.dispatch() built the proper error Response via handle_exception() but returned the raw exception object instead, causing Django to raise "TypeError: 'Exception' object is not a valid HTTP response". Fix all six occurrences across the api, app, license and space view bases, and add a regression test covering every affected base class. Fixes makeplane#9157 * chore(api): add copyright header to tests/unit/views/__init__.py The empty package init file was missing the AGPL copyright header, failing the Copy Right Check CI (addlicense -check on all tracked .py files).
makeplane#9189) The web/admin/space Docker image builds fail at the Vite/PostCSS step with "Cannot find module '@tailwindcss/postcss'". These apps load the shared @plane/tailwind-config/postcss.config.js, which references the @tailwindcss/postcss plugin by name, but the plugin was only declared as a dependency of packages/tailwind-config. The Docker build installs via turbo prune + 'pnpm fetch' + 'pnpm install --offline', which lays out node_modules so PostCSS resolves the plugin relative to the app directory (apps/<app>), where it is not reachable. A plain 'pnpm install' resolves it from tailwind-config's context instead, which is why local builds passed and masked the issue. Declare @tailwindcss/postcss as a direct devDependency of the three apps that run Vite/PostCSS so it is symlinked into each app's node_modules and resolves under the isolated linker regardless of install flow. Verified by reproducing the exact Docker flow (prune -> fetch -> --frozen-lockfile offline install -> build) for admin, space and web: all install in sync and build successfully with full Tailwind CSS output.
* fix: bump npm deps to resolve Dependabot advisories Resolve 8 open Dependabot alerts (all npm, in pnpm-lock.yaml) by bumping the affected packages in pnpm-workspace.yaml and regenerating the lockfile: - axios 1.15.2 -> 1.16.0 (catalog): CVE-2026-44494/44492/44490/44489 - tmp -> 0.2.6 (override): CVE-2026-44705 path traversal - ws 8.x -> 8.20.1 (catalog + scoped override): CVE-2026-45736 - qs 6.14.2 -> 6.15.2 (override): CVE-2026-8723 DoS - brace-expansion 5.0.5 -> 5.0.6 (override): CVE-2026-45149 DoS brace-expansion and qs were pinned to their vulnerable versions in the overrides block, so the pins had to be bumped directly. ws is scoped to the 8.x major (ws@7.5.10 is below the vulnerable >=8.0.0 floor). All bumps are semver-compatible patch/minor upgrades; no source changes required. * fix: use named axios `create` import after 1.16.0 bump axios 1.16.0 newly exposes `create` as a named export, so oxlint's import/no-named-as-default-member rule now flags `axios.create(...)`. That added one warning to @plane/services (7 > its --max-warnings=6 baseline) and to apps/web and apps/live, failing check:lint — surfaced on this PR because the lockfile change busts Turbo's lint cache. Switch the three `axios.create(...)` call sites to a named `{ create }` import. `create` is a real value+type export in axios 1.16.0 (verified via tsc). isCancel/CancelToken are left as `axios.*`: CancelToken is only a type export (cannot be a value import under verbatimModuleSyntax) and both were already counted within the existing baselines. Verified locally: full `pnpm check:lint` (16/16) and `check:types` (15/15) pass.
…plane#9203) * refactor: migrate types from apps/web to @plane/types * [WEB-238] resolved lint errors * [WEB-238] Resolved coderabbit comments
…keplane#9224) User-controlled values (work item titles, labels, etc.) were written raw into openpyxl worksheet cells, so values beginning with = were stored as live formula cells in exported XLSX files. Apply the same formula-trigger sanitization already used for CSV exports to XLSX cell values and header rows in both export formatters, and sanitize CSV header rows in the porters formatter for parity.
…e#9225) The custom API key authentication only verified that the APIToken row was active and unexpired; it never checked the owning user's is_active flag. DRF's IsAuthenticated only checks user.is_authenticated (always True for a real User), so a user whose account was deactivated could keep using a previously issued API key indefinitely. Add user__is_active=True to the validate_api_token() lookup so a token tied to a disabled account is treated as invalid (a generic AuthenticationFailed, avoiding account-state disclosure). Applied to both the external API middleware (plane/api) and the identical, currently unused copy in plane/app to prevent the gap from being reintroduced. Adds unit coverage on validate_api_token and an end-to-end contract test proving GET /api/v1/users/me/ is denied once the account is deactivated.
Resolves the sole open Dependabot alert (GHSA-gv7w-rqvm-qjhr, high): esbuild <0.28.1 lacks binary-integrity verification in its Deno install path, enabling RCE via NPM_CONFIG_REGISTRY. The pnpm `overrides` entry pinned the entire tree to esbuild 0.25.0; bump it to 0.28.1, which fixes all transitive paths (vite, vitest, tsx, vite-node, esbuild-register). Also bump turbo 2.9.14 -> 2.9.18 in the workspace catalog and the four pinned production Dockerfiles (web, live, admin, space). Verified: `pnpm audit` clean, admin react-router/vite build succeeds, @plane/codemods vitest suite 33/33 passing.
Bumps the pip group with 1 update in the /apps/api/requirements directory: [pyjwt](https://github.com/jpadilla/pyjwt). Updates `pyjwt` from 2.12.0 to 2.13.0 - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](jpadilla/pyjwt@2.12.0...2.13.0) --- updated-dependencies: - dependency-name: pyjwt dependency-version: 2.13.0 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the pip group with 1 update in the /apps/api/requirements directory: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 46.0.7 to 48.0.1 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.7...48.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-version: 48.0.1 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…dates (makeplane#9244) Bumps the npm_and_yarn group with 3 updates in the / directory: [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [ws](https://github.com/websockets/ws). Updates `react-router` from 7.15.0 to 7.15.1 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router@7.15.1/packages/react-router) Updates `vite` from 7.3.2 to 7.3.5 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite) Updates `ws` from 8.20.1 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.20.1...8.21.0) --- updated-dependencies: - dependency-name: react-router dependency-version: 7.15.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…eleteIssuesEndpoint (makeplane#9270) * fix(security): scope cascade deletes to workspace in BulkDeleteIssuesEndpoint CycleIssue and ModuleIssue cascade deletes used raw issue_ids from the request instead of the already workspace+project scoped issues queryset, allowing cross-workspace deletion of related records. Fixes GHSA-6cw7-h92q-p9hg and GHSA-2rr4-rp7r-32p4. GHSA-7q7r-mrr4-2wwx (sub-issue parent reassign) covered in WEB-7727. Co-authored-by: Plane AI <noreply@plane.so> * chore: remove advisory ID reference from code comment --------- Co-authored-by: Plane AI <noreply@plane.so> Co-authored-by: sriramveeraghanta <veeraghanta.sriram@gmail.com>
…ane#9263) `COMPANY_NAME_REGEX` blocks disallowed chars but accepts symbol-only strings like `-_________-` since `-` and `_` are in the allowed set. Add `HAS_ALPHANUMERIC_REGEX` and check it in `validateWorkspaceName` and `validateCompanyName` so inputs with no letter or digit are rejected. Fixes makeplane#9255 Signed-off-by: okxint <cashmein.eth@gmail.com>
…ect in bulk endpoints (makeplane#9269) * fix(security): scope issue ID validation to workspace/project in bulk endpoints Prevents cross-tenant IDOR by filtering incoming issue IDs through workspace+project scope before bulk_create/bulk_update in: - CycleIssueListCreateAPIEndpoint: validate new_issues against workspace+project (GHSA-22g9-9xfv-q3fr) - SubIssuesEndpoint: validate sub_issue_ids against workspace (GHSA-38vj-gf85-7q5x) - IssueRelationListCreateAPIEndpoint: validate issues against workspace (GHSA-8cvv-8jh5-g6mj) - ModuleIssueListCreateAPIEndpoint: already scoped at line 673, no change needed (GHSA-x5c5-hmvm-94v9) Co-authored-by: Plane AI <noreply@plane.so> * fix(security): extend IDOR scope validation to app-layer endpoints Same cross-tenant IDOR fix applied to the app/views/ counterparts which are used by the web frontend (api/views/ covered in previous commit): - app/views/cycle/issue.py: filter new_issues to workspace+project (GHSA-22g9-9xfv-q3fr) - app/views/module/issue.py: filter issues to workspace+project before bulk_create (GHSA-x5c5-hmvm-94v9) - app/views/issue/relation.py: filter issues to workspace before bulk_create (GHSA-8cvv-8jh5-g6mj) Co-authored-by: Plane AI <noreply@plane.so> * chore: remove advisory ID references from code comments --------- Co-authored-by: Plane AI <noreply@plane.so> Co-authored-by: sriramveeraghanta <veeraghanta.sriram@gmail.com>
…keplane#9277) Storybook upgrade (latest 10.4.6): - Align catalog so storybook + all @storybook/* are lockstep on 10.4.6 - addon-designs 11.1.3, addon-styling-webpack 3.0.2, addon-webpack5-compiler-swc 4.0.3, @chromatic-com/storybook 5.2.1 - Remove discontinued packages (addon-essentials, addon-interactions, blocks, test); add @storybook/addon-docs to packages/ui - Fix .storybook/main.ts ESM loading via createRequire(import.meta.url) - Revert propel's hardcoded storybook version back to catalog: Security advisories: - undici 7.24.0 -> 7.28.0 (7 CVEs incl. GHSA-vmh5-mc38-953g) - @opentelemetry/core|resources|sdk-trace-base -> 2.8.0 (GHSA-8988-4f7v-96qf) Also includes bundled dependency bumps already pending on the branch (vite 8, postcss, babel, markdown-it, ws, form-data, etc.).
…akeplane#9278) * fix(api): require at least one alphanumeric char in workspace name Workspace name validation was enforced only on the frontend (validateWorkspaceName), which gates the UI submit but is bypassable via a direct API call. The backend WorkSpaceSerializer.validate_name only rejected URLs, so a symbol-only name like "-_________-" could still be saved via create or the rename (partial_update) path. Add a Unicode-aware has_alphanumeric() helper and enforce it in both the app and instance/license workspace serializers, mirroring the frontend HAS_ALPHANUMERIC_REGEX (/[\p{L}\p{N}]/u) added in makeplane#9263. International names (日本語, José, محمد) still pass since str.isalnum() covers all scripts. Adds unit tests covering symbol-only rejection and international acceptance on both serializers. Refs makeplane#9255 Signed-off-by: sriramveeraghanta <veeraghanta.sriram@gmail.com> * fix(api): reject URLs in instance workspace name for parity Address CodeRabbit review on makeplane#9278: the instance/license WorkspaceSerializer.validate_name rejected symbol-only names but, unlike the app-level WorkSpaceSerializer, still accepted names containing URLs. Add the same contains_url() guard (imported from plane.utils.url, not content_validator) so both workspace-create paths validate identically. Add unit tests asserting URL-containing names are rejected on both serializers. Signed-off-by: sriramveeraghanta <veeraghanta.sriram@gmail.com> --------- Signed-off-by: sriramveeraghanta <veeraghanta.sriram@gmail.com>
* fix: Use APP_DOMAIN env var for bot user email instead of hardcoded plane.so Signed-off-by: okxint <cashmein.eth@gmail.com> * use settings.WEB_URL instead of APP_DOMAIN env var for bot email domain --------- Signed-off-by: okxint <cashmein.eth@gmail.com>
…e#9279) * fix: scope workspace user preference filter to current user Without user=request.user on the PATCH filter, the ORM could match another user's preference record in the same workspace, causing pin/unpin state to leak across users or silently fail to persist. Fixes makeplane#9260 Signed-off-by: okxint <cashmein.eth@gmail.com> * test: add regression coverage for workspace user preference scoping (makeplane#9260) Adds contract tests for the sidebar preference PATCH endpoint: - test_patch_only_updates_requesting_users_preference: in a multi-member workspace, a member's PATCH must update only their own preference row, never another member's. Fails against the pre-fix code (the unscoped .first() mutates the most-recently-created row regardless of user). - test_patch_updates_own_preference: baseline that a member's PATCH persists to their own row. Verified RED on the unpatched view and GREEN with the user=request.user filter from makeplane#9261. * fix(api): wrap long line to satisfy ruff E501 in user preference view --------- Signed-off-by: okxint <cashmein.eth@gmail.com> Co-authored-by: okxint <cashmein.eth@gmail.com>
…hijack (makeplane#9297) - Add WorkSpaceMemberInvitePublicSerializer that excludes token and invite_link; use it in WorkspaceJoinEndpoint.get() so an unauthenticated caller cannot retrieve the acceptance token from the GET endpoint (GHSA-86mg-259g-pwgg / GHSA-gf48-p6jp-cwc4). - Require authentication and verify request.user.email matches the invited email before accepting a workspace invitation so an attacker who registers with the invited address cannot hijack the invite (GHSA-4vj8-p63v-8p24). Co-authored-by: Plane AI <noreply@plane.so>
…n_html with nh3 (makeplane#9287) GHSA-6qrq-f73q-r67j / GHSA-j9pv-f5wm-p4g2 — IssueCommentSerializer in both app and api layers stored comment_html without sanitization. The app layer had no validate() at all; the api layer only ran lxml structural normalization which does not strip XSS payloads. Fix: both serializers now call validate_html_content() (nh3-backed) in their validate() methods, replacing the raw value with sanitized HTML. GHSA-hh2r-3hwp-mvq3 — space/views/intake.py and api/views/intake.py both used bare Issue.objects.create() with description_html taken directly from request data, bypassing any serializer validation. Fix: both paths now call validate_html_content() and pass the sanitized value to Issue.objects.create(). Falls back to "<p></p>" if sanitizer returns None (empty/invalid input). The nh3 sanitizer (validate_html_content in content_validator.py) was already present and used by IssueCreateSerializer — this change extends coverage to the two remaining unsanitized comment and intake paths. Co-authored-by: Plane AI <noreply@plane.so>
…pace and project (makeplane#9286) GHSA-933r-rxg8-f3h2 — EstimatePointEndpoint.create trusted the estimate_id URL parameter without verifying it belonged to the caller's workspace and project. An authenticated user in project A could inject estimate points into any other workspace's estimate by supplying a foreign estimate_id. Fix: added a workspace+project scoped Estimate ownership check before EstimatePoint.objects.create(). GHSA-933r-rxg8-f3h2 (destroy) — old_estimate_point was fetched with pk only (unscoped), allowing cross-tenant key disclosure and manipulation during the key-rearrangement step. Fix: scoped the old_estimate_point lookup to estimate_id + project_id + workspace__slug; added 404 guard for missing/foreign points. Note: BulkEstimatePointEndpoint.partial_update (GHSA-vm3j-5j49-gwrf) was already correctly scoped at lines 116 and 125-130 — no change needed. Co-authored-by: Plane AI <noreply@plane.so>
… manifests (makeplane#9291) * fix: remove hardcoded SECRET_KEY from community deployment manifests (GHSA-cmwv-pjmw-8483) Replace the publicly-known default SECRET_KEY and LIVE_SERVER_SECRET_KEY values in AIO and CLI community deployment manifests with a safe placeholder. - deployments/aio: variables.env now ships with placeholder values; start.sh auto-generates a random key on first boot (or on upgrade from the old insecure default) and persists it in plane.env across restarts - deployments/cli: variables.env ships with placeholder; docker-compose.yml fallbacks that referenced the publicly-known default are removed - apps/api/plane/settings/common.py: SECRET_KEY resolution now uses `or` so an empty env var falls back to get_random_secret_key() (not ""); adds a startup warning if the known insecure default or placeholder is detected Closes WEB-7805 Co-authored-by: Plane AI <noreply@plane.so> * fix: use logger.critical instead of print for insecure SECRET_KEY warning Address code review feedback — replace module-level print() with _logger.critical() and move _logger definition before the SECRET_KEY block to avoid duplicate assignment. Also removes the now-unused `import sys`. Co-authored-by: Plane AI <noreply@plane.so> --------- Co-authored-by: Plane AI <noreply@plane.so>
…points (makeplane#9292) * fix: prevent ORM order_by injection via user-supplied query params (GHSA-2r95, GHSA-w45q) Add field-name allowlists and a sanitize_order_by() utility in order_queryset.py. All allowlists are centralised there; each call site imports the named constant so there are no inline sets scattered across view files. - order_queryset.py: ISSUE_ORDER_BY_ALLOWLIST, INTAKE_ISSUE_ORDER_BY_ALLOWLIST, ACTIVITY_ORDER_BY_ALLOWLIST, PROJECT_ORDER_BY_ALLOWLIST, VIEW_ORDER_BY_ALLOWLIST, NOTIFICATION_ORDER_BY_ALLOWLIST + sanitize_order_by() utility; validation added at the top of order_issue_queryset() — fixes all callers including the unauthenticated ProjectIssuesPublicEndpoint (GHSA-w45q) - api/views/cycle.py, api/views/module.py: cycle/module issue list endpoints - api/views/issue.py: IssueActivity list and detail endpoints - app/views/intake/base.py: IntakeIssue list - app/views/view/base.py: saved-view list - app/views/notification/base.py: notification paginator - app/views/project/base.py: project list paginator - app/views/user/base.py, app/views/workspace/user.py: activity paginators Closes WEB-7813 Co-authored-by: Plane AI <noreply@plane.so> * fix: harden sanitize_order_by against multi-dash malformed inputs lstrip("-") stripped all leading dashes, allowing "--created_at" to pass the allowlist check unchanged and reach .order_by() as a malformed token (causing FieldError). Now strips only one leading dash; any remaining dash prefix is rejected to the safe default. Co-authored-by: Plane AI <noreply@plane.so> --------- Co-authored-by: Plane AI <noreply@plane.so>
…aceOwnerPermission (makeplane#9290) GHSA-rmmf-rj2q-3rrg: save_user_data() was unconditionally setting is_active=True on every login, silently reactivating any admin-deactivated account. Fix: add an early guard in complete_login_or_signup() that raises USER_ACCOUNT_DEACTIVATED (5019) before any session or save logic if the existing user's is_active=False. Remove the is_active=True assignment and the associated user_activation_email call from save_user_data(). Also remove the now-unused user_activation_email and base_host imports. GHSA-wjgv-cq7w-258v: WorkspaceOwnerPermission in both app/permissions/ and utils/permissions/ was filtering WorkspaceMember without is_active=True, allowing a deactivated workspace owner/admin to retain API access. Add is_active=True to both copies to match every other permission class. Co-authored-by: Plane AI <noreply@plane.so>
… guard (makeplane#9304) * fix(auth): restore activation flow and narrow deactivation guard (GHSA-rmmf-rj2q-3rrg) PR makeplane#9290 introduced two regressions in adapter/base.py: 1. is_signup = bool(user) was inverted — True when the user EXISTS means the IDP sync ran on signup instead of login, and the callback received the wrong value. Fixed to is_signup = not bool(user) matching EE. 2. The deactivation check blocked ALL inactive users, including accounts provisioned with is_active=False that have never completed a first login. Fixed by adding `and user.last_login_time is not None` — only accounts that have previously logged in (and were then explicitly deactivated by an admin) are rejected. Provisioned/never-logged-in accounts still pass through to save_user_data(). 3. Restore is_active=True and user_activation_email in save_user_data() so provisioned accounts are properly activated on first login. Co-authored-by: Plane AI <noreply@plane.so> * fix(auth): save before email, use last_logout_time as deactivation discriminator Two CR fixes on PR makeplane#9304: 1. save_user_data(): capture was_inactive flag, save() first, then send activation email as a best-effort side-effect so a failed enqueue cannot abort account activation. 2. complete_login_or_signup(): switch deactivation discriminator from last_login_time to last_logout_time. The deactivation endpoint always sets last_logout_time, making it a direct signal of explicit deactivation. A provisioned account that was never deactivated has last_logout_time=None and is correctly allowed through for first login, even if it also has no last_login_time. Co-authored-by: Plane AI <noreply@plane.so> --------- Co-authored-by: Plane AI <noreply@plane.so>
Sub-tasks in the spreadsheet/table layout were always displayed in API-response order regardless of the active sort. The main issue list correctly runs through issuesSortWithOrderBy, but the sub-issues came from the detail store (subIssuesByIssueId) which never applied any ordering. Read the current order_by from the issue filter store and pass the raw sub-issue IDs through issues.issuesSortWithOrderBy before rendering, so sub-tasks respect the same date (or any other) sort that the user set for the parent list. Fixes makeplane#9101
codewithsupra
requested review from
dheeru0198,
mguptahub,
pablohashescobar and
sriramveeraghanta
as code owners
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
In the table/spreadsheet layout, sorting by Start date or Due date correctly re-orders parent issues but sub-tasks nested beneath them always stay in API-response order. This makes date sorting feel broken for anyone who uses sub-tasks heavily.
Root cause
Parent issue IDs are stored in
groupedIssueIdsand are processed throughissues.issuesSortWithOrderByon every sort change. Sub-task IDs come from a separate detail store (subIssuesByIssueId) which stores them in the order returned by the API and never re-sorts.SpreadsheetIssueRowreads sub-issues like this:Fix
Read
order_byfrom the issue filter store and pass the raw sub-issue IDs throughissues.issuesSortWithOrderBybefore rendering:This reuses the exact same sorting function that the main list uses, so sub-tasks and parents are always sorted by the same criterion.
Fixes #9101