[WEB-7787] fix(security): block deactivated user login and fix WorkspaceOwnerPermission (Cluster X)

[mguptahub]

Summary

Two vulnerabilities related to deactivated user accounts, both of which allow disabled accounts to retain or regain access.

Changes

GHSA-rmmf-rj2q-3rrg (high) — Deactivated user auto-reactivation on login

save_user_data() in adapter/base.py was unconditionally calling user.is_active = True on every successful authentication, silently reactivating any account that an admin had deactivated.

Fix: Add an early guard in complete_login_or_signup() — if the user exists and is_active=False, raise AuthenticationException(USER_ACCOUNT_DEACTIVATED) before any session or save logic. Remove the is_active=True assignment and the associated user_activation_email call from save_user_data(). Remove now-unused user_activation_email and base_host imports.

GHSA-wjgv-cq7w-258v (medium) — Deactivated owner retains workspace access

WorkspaceOwnerPermission in both plane/app/permissions/workspace.py and plane/utils/permissions/workspace.py was filtering WorkspaceMember without is_active=True. Every other permission class (WorkSpaceAdminPermission, WorkspaceEntityPermission, etc.) correctly included this filter. The missing filter allowed a deactivated workspace owner/admin to still hit admin-gated API endpoints.

Fix: Add is_active=True to the WorkspaceMember filter in both copies.

Test plan

• Deactivate a user via admin panel; attempt login via password — should return USER_ACCOUNT_DEACTIVATED error
• Deactivate a user; attempt login via magic link — same rejection
• Deactivate a user; attempt login via GitHub/Google OAuth — same rejection
• Normal active user login still works end-to-end
• Deactivate a workspace owner; attempt workspace invitation API (POST /api/v1/workspaces/{slug}/invitations/) — should return 403
• Active workspace owner can still use invitation API

Co-authored-by: Plane AI noreply@plane.so

Summary by CodeRabbit

• Bug Fixes
  • Deactivated user accounts are now properly blocked from logging in and can no longer be automatically reactivated.
  • Workspace membership status is now validated when checking access permissions.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8e6cd0d9-0630-457a-b92b-61bcd018d6e7

📥 Commits

Reviewing files that changed from the base of the PR and between 4a0746b and 25a5d42.

📒 Files selected for processing (3)

• apps/api/plane/app/permissions/workspace.py
• apps/api/plane/authentication/adapter/base.py
• apps/api/plane/utils/permissions/workspace.py

---

📝 Walkthrough

Walkthrough

Three files add is_active enforcement to authentication and authorization paths. The auth adapter now rejects deactivated users at login/signup completion instead of reactivating them. Both workspace owner permission classes now require an active membership record when evaluating the admin/owner role.

Changes

Active-state enforcement across auth and workspace permissions

Layer / File(s)	Summary
Auth adapter deactivation guard apps/api/plane/authentication/adapter/base.py	Removes imports for base_host and user_activation_email. Strips the reactivation logic from save_user_data so it only updates login fields. Adds an early guard in complete_login_or_signup that raises AuthenticationException(USER_ACCOUNT_DEACTIVATED) when the resolved user has is_active=False.
Workspace owner permission active membership check apps/api/plane/app/permissions/workspace.py, apps/api/plane/utils/permissions/workspace.py	Both WorkspaceOwnerPermission.has_permission implementations add is_active=True to the WorkspaceMember queryset filter, excluding inactive memberships from the admin/owner role match.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hop, hop — no sneaking back in,
If your account's gone quiet within!
The adapter checks with a vigilant eye,
Inactive members? Permission denied!
The warren's secure, no ghosts get a key. ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description provides detailed security vulnerability context, specific fixes, and a comprehensive test plan, but is not formatted according to the repository template structure.	Restructure the description to follow the template: add Type of Change checkboxes, organize content into the template sections, and keep the security details as part of the Description section.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the core security fixes: blocking deactivated user login and correcting WorkspaceOwnerPermission, matching the main changes in the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7787/fix-deactivated-user-access

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7787) fix(security): block deactivated user login and fix WorkspaceOwnerPermission (Cluster X)

This comment was auto-generated by Plane