fix(api): require at least one alphanumeric char in workspace name#9278
Merged
sriramveeraghanta merged 2 commits intoJun 20, 2026
Merged
Conversation
Workspace name validation was enforced only on the frontend
(validateWorkspaceName), which gates the UI submit but is bypassable
via a direct API call. The backend WorkSpaceSerializer.validate_name
only rejected URLs, so a symbol-only name like "-_________-" could
still be saved via create or the rename (partial_update) path.
Add a Unicode-aware has_alphanumeric() helper and enforce it in both
the app and instance/license workspace serializers, mirroring the
frontend HAS_ALPHANUMERIC_REGEX (/[\p{L}\p{N}]/u) added in #9263.
International names (日本語, José, محمد) still pass since str.isalnum()
covers all scripts.
Adds unit tests covering symbol-only rejection and international
acceptance on both serializers.
Refs #9255
Signed-off-by: sriramveeraghanta <veeraghanta.sriram@gmail.com>
sriramveeraghanta
requested review from
dheeru0198 and
pablohashescobar
as code owners
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughA new ChangesWorkspace Name Alphanumeric Validation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/api/plane/license/api/serializers/workspace.py`:
- Around line 22-31: The validate_name method in WorkspaceSerializer currently
only validates that the name contains alphanumeric characters but does not
reject URL-containing values, while another serializer implementation rejects
URLs. Add URL rejection logic to the validate_name method in WorkspaceSerializer
to ensure consistent validation behavior across both serializer implementations.
The URL check should be performed before or after the has_alphanumeric
validation check to mirror the behavior of the other serializer and prevent
URL-containing names from being accepted.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b3c8d7d5-edc0-4ff3-95a0-4b6d7e58b7a6
📒 Files selected for processing (4)
apps/api/plane/app/serializers/workspace.pyapps/api/plane/license/api/serializers/workspace.pyapps/api/plane/tests/unit/serializers/test_workspace.pyapps/api/plane/utils/content_validator.py
Address CodeRabbit review on #9278: the instance/license WorkspaceSerializer.validate_name rejected symbol-only names but, unlike the app-level WorkSpaceSerializer, still accepted names containing URLs. Add the same contains_url() guard (imported from plane.utils.url, not content_validator) so both workspace-create paths validate identically. Add unit tests asserting URL-containing names are rejected on both serializers. Signed-off-by: sriramveeraghanta <veeraghanta.sriram@gmail.com>
Prashant-Surya
approved these changes
Jun 20, 2026
gentslava
added a commit
to gentslava/plane
that referenced
this pull request
Jun 20, 2026
…cope + workspace-name валидация + Storybook v10) upstream makeplane#9269/makeplane#9270 (scope issue-ID/cascade-delete к workspace в bulk-эндпоинтах), makeplane#9263/makeplane#9278 (workspace name ≥1 буквенно-цифровой), makeplane#9277 (Storybook v10). Конфликт sub_issue.py разрешён объединением: eyriehq validate_sub_issues_bulk + upstream workspace__slug-scope. Наш GraphQL-шлюз уже безопасен (мутации ре-парента scope по project=p), поддержка не нужна. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Follow-up to #9263, which fixed the symbol-only workspace name bug (#9255) on the frontend by adding
HAS_ALPHANUMERIC_REGEXtovalidateWorkspaceName/validateCompanyName.That fix is correct, but the frontend validators run as react-hook-form
validatecallbacks — they only gate the UI submit button and are bypassable via a direct API call. The backend never enforced the rule:WorkSpaceSerializer.validate_name(apps/api/plane/app/serializers/workspace.py) only rejected URLs, so a symbol-only name like-_________-is still accepted on both the create (POST) and rename (PATCH→partial_update) paths, which share this serializer's field-level validation.WorkspaceSerializer(apps/api/plane/license/api/serializers/workspace.py) had novalidate_nameat all.Since #9255 reports the name being saved (a server-side concern), this PR closes the gap end-to-end.
Changes
has_alphanumeric()helper toplane/utils/content_validator.py.str.isalnum()covers letters/digits in all scripts, mirroring the frontend/[\p{L}\p{N}]/u.WorkSpaceSerializer.validate_name(covers create + rename) and addvalidate_nameto the instance/licenseWorkspaceSerializer(covers instance-admin create).日本語,José,محمد,R&D,123, …) are accepted, on both serializers.Why
isalnum()It rejects only names made entirely of spaces, hyphens, underscores, punctuation, or emoji — exactly the reported failure mode — while accepting every legitimate name in any language. This matches what the merged frontend fix already enforces, so there is no UI/backend divergence and no risk of rejecting valid existing names like
Acme, Inc.orR&D.Type of Change
Test Scenarios
plane/tests/unit/serializers/test_workspace.pyunit tests (-m unit) covering symbol-only rejection (-_________-,---,___,- - -, whitespace-only) and international/alphanumeric acceptance, for bothWorkSpaceSerializerand the instance/licenseWorkspaceSerializer.has_alphanumeric()logic against every case;py_compilepasses on all changed files. (Full pytest suite runs in CI.)References
Summary by CodeRabbit
Bug Fixes
Tests