[WEB-7776] fix(security): scope FileAsset queries to prevent cross-project IDOR (Cluster F)

[mguptahub]

Summary

Multiple asset endpoints were missing project-level scoping on FileAsset queryset filters, allowing authenticated users to access, mark-uploaded, or restore assets belonging to other projects or workspaces they are not members of.

Fixes applied

Priority	Endpoint	File	Fix
P0	ProjectBulkAssetEndpoint.post	app/views/asset/v2.py	Add project_id=project_id to asset filter
P0	EntityAssetEndpoint.get	space/views/asset.py	Add project_id=deploy_board.project_id
P0	EntityAssetEndpoint.patch	space/views/asset.py	Add project_id=deploy_board.project_id
P1	AssetRestoreEndpoint.post	space/views/asset.py	Add project_id=deploy_board.project_id
P1	FileAssetEndpoint V1 (get/post/delete)	app/views/asset/base.py	Add WorkspaceMember membership check
P1	FileAssetViewSet.restore V1	app/views/asset/base.py	Add WorkspaceMember membership check
P2	WorkspaceFileAssetEndpoint.post	app/views/asset/v2.py	Gate WORKSPACE_LOGO upload on ROLE.ADMIN
P2	DuplicateAssetEndpoint.post	app/views/asset/v2.py	Restrict source asset lookup to same workspace

Advisories addressed

GHSA-r2hw (critical), GHSA-jh4v (high), GHSA-8688 (high), GHSA-3hrj, GHSA-3892, GHSA-3ggg, GHSA-gcpp, GHSA-p57q, GHSA-c68q, GHSA-8chr, GHSA-58qm, GHSA-wrrw, GHSA-j4mj, GHSA-85h2, GHSA-29q3, GHSA-mwh2, GHSA-xrpv and related duplicates.

Test plan

• Upload an asset to Project A, then attempt POST /api/v1/workspaces/{slug}/projects/{projectB_id}/bulk-asset-save/ with the asset ID — should return 404
• On a public board, attempt PATCH /spaces/{anchor}/assets/{asset_from_other_project}/ — should return 404
• On a public board, attempt POST /spaces/{anchor}/assets/{id}/restore/ with asset from a different project — should return 404
• Attempt GET /api/workspaces/{ws_id}/{asset_key} from a user not in the workspace — should return 404
• As MEMBER, attempt POST /api/v1/workspaces/{slug}/file-assets/ with entity_type=WORKSPACE_LOGO — should return 403
• As ADMIN, attempt same call — should succeed
• DuplicateAssetEndpoint: attempt to duplicate an asset from workspace B while calling endpoint in workspace A — should return 404

Co-authored-by: Plane AI noreply@plane.so

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Added workspace membership verification for asset access, uploads, and deletions
  • Restricted workspace logo uploads to administrators only
  • Prevented unauthorized cross-project asset access
  • Enhanced authorization checks for asset restoration operations

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a791cd50-31ff-4044-bc40-3a41be4f9446

📥 Commits

Reviewing files that changed from the base of the PR and between 4a0746b and e063c2c.

📒 Files selected for processing (3)

• apps/api/plane/app/views/asset/base.py
• apps/api/plane/app/views/asset/v2.py
• apps/api/plane/space/views/asset.py

---

📝 Walkthrough

Walkthrough

Three asset-related view files receive authorization hardening: FileAssetEndpoint in base.py gains active workspace-membership checks on all four HTTP methods; v2.py adds an admin role gate for workspace-logo uploads, adds project_id scoping to the bulk asset query, and tightens the duplicate-asset source lookup to the destination workspace; space/views/asset.py adds project_id to asset queries in get, patch, and restore to prevent cross-project IDOR.

Changes

Asset Endpoint Authorization Hardening

Layer / File(s)	Summary
Workspace membership guards on FileAssetEndpoint apps/api/plane/app/views/asset/base.py	Imports WorkspaceMember and inserts active-membership checks at the top of get, post, delete, and restore; post additionally resolves the workspace by slug with a 404 guard before saving the serializer with the resolved workspace_id.
Admin gate for logo upload and scoping fixes in v2 endpoints apps/api/plane/app/views/asset/v2.py	WorkspaceFileAssetEndpoint.post returns 403 when the caller is not an admin for WORKSPACE_LOGO uploads; ProjectBulkAssetEndpoint.post adds project_id to the FileAsset filter; DuplicateAssetEndpoint.post scopes the source asset lookup to the destination workspace instead of the caller's memberships.
Cross-project IDOR fix in space-app asset endpoints apps/api/plane/space/views/asset.py	Adds project_id to the FileAsset filter in EntityAssetEndpoint.get, EntityAssetEndpoint.patch, and AssetRestoreEndpoint.post, preventing assets from being accessed or restored across project boundaries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• makeplane/plane#9212: Implements the same cross-workspace asset authorization pattern at the endpoint level via workspace membership checks on asset operations, directly overlapping with the FileAssetEndpoint membership guards added in this PR.

Suggested reviewers

• dheeru0198
• pablohashescobar
• sangeethailango

Poem

🐰 A bunny guards the warren door,
No stranger slips through any more.
Each slug is checked, each project scoped,
Cross-project sneaks? Their access roped.
The logo vault needs admin keys,
Our assets rest in safety's ease! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main security fix: scoping FileAsset queries to prevent cross-project IDOR vulnerabilities across multiple endpoints.
Description check	✅ Passed	The description is comprehensive, detailing fixes across 8 endpoints with priority levels, affected files, and a detailed test plan, though it uses a table format rather than strictly following the template sections.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7776/fix-asset-idor

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7776) fix(security): Asset IDOR — scope FileAsset queries to workspace + project (Cluster F)

This comment was auto-generated by Plane