[WEB-7730] fix(security): scope cascade deletes to workspace in BulkDeleteIssuesEndpoint

[mguptahub]

Summary

• BulkDeleteIssuesEndpoint.delete() correctly scoped the issues queryset to workspace+project, but the cascade deletes on CycleIssue and ModuleIssue used the raw issue_ids from the request
• An attacker could pass issue IDs from another workspace to delete CycleIssue/ModuleIssue records they don't own
• Fix: replace issue_id__in=issue_ids (raw user input) with issue__in=issues (the already-scoped queryset) in both cascade deletes

Affected advisories (Cluster H)

• GHSA-6cw7-h92q-p9hg — Cross-WS destruction via unscoped BulkDeleteIssues
• GHSA-2rr4-rp7r-32p4 — Cross-WS CycleIssue/ModuleIssue deletion via BulkDelete cascade
• GHSA-7q7r-mrr4-2wwx — Cross-WS parent reassign via SubIssues (covered in WEB-7727 / PR [WEB-7727] fix(security): scope issue ID validation to workspace/project in bulk endpoints #9269)

Changes

File	Change
apps/api/plane/app/views/issue/base.py	Replace issue_id__in=issue_ids → issue__in=issues in CycleIssue and ModuleIssue cascade deletes

Test plan

• Call bulk delete with issue IDs from workspace B while authenticated in workspace A — CycleIssue/ModuleIssue records from workspace B should not be deleted
• Verify normal bulk delete still works — issues and their cycle/module memberships in the correct workspace are deleted

Summary by CodeRabbit

Summary by CodeRabbit

• Bug Fixes
  • Fixed bulk deletion of issues so related cycle and module associations are removed using the same already-scoped workspace and project filtering, preventing leftover orphaned records.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a3c84d17-43ce-439a-9a4c-c0142f85546c

📥 Commits

Reviewing files that changed from the base of the PR and between d4e8026 and 85ee49a.

📒 Files selected for processing (1)

• apps/api/plane/app/views/issue/base.py

💤 Files with no reviewable changes (1)

• apps/api/plane/app/views/issue/base.py

---

📝 Walkthrough

Walkthrough

In BulkDeleteIssuesEndpoint.delete, the deletion of related CycleIssue and ModuleIssue records is changed to filter by issue__in=issues (the workspace/project-scoped queryset) instead of issue_id__in=issue_ids (raw IDs from the request payload).

Changes

Bulk Issue Deletion Scoping Fix

Layer / File(s)	Summary
Scoped CycleIssue and ModuleIssue deletion apps/api/plane/app/views/issue/base.py	CycleIssue and ModuleIssue delete calls change from issue_id__in=issue_ids to issue__in=issues, tying related-record deletions to the already workspace- and project-scoped issues queryset rather than the raw request IDs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit once hopped through a field of IDs,
And found some unscoped ones hiding in weeds.
"Use the queryset!" she twitched her small nose,
Now cycles and modules delete with proper scope.
Tidy and safe, as every good burrow should be! 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the security fix: scoping cascade deletes to workspace in BulkDeleteIssuesEndpoint, which aligns with the main change.
Description check	✅ Passed	The PR description includes comprehensive context about the security vulnerability, the fix, affected advisories, and test scenarios; however, the Type of Change checkbox section from the template is not filled out.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7730/fix-bulk-delete-cascade

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7730) Security: Fix cross-WS cascade delete in BulkDeleteIssuesEndpoint

References

• (WEB-7727) Security: Fix cross-tenant IDOR in cycle/sub-issue/relation/module endpoints

This comment was auto-generated by Plane