mirror/plane
1
0
Fork 0
mirror of https://github.com/makeplane/plane.git synced 2026-05-18 23:19:02 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: scope IssueBulkUpdateDateEndpoint query to workspace and project (#8834)

Browse Source 
The bulk update date endpoint fetched issues by ID without filtering
by workspace or project, allowing any authenticated project member to
modify start_date and target_date of issues in any workspace/project
across the entire instance (IDOR - CWE-639).

Scoped the query to include workspace__slug and project_id filters,
consistent with other issue endpoints in the codebase.

Ref: GHSA-4q54-h4x9-m329
This commit is contained in:
sriram veeraghanta
2026-03-31 17:43:35 +05:30
committed by GitHub
parent 00a51f5e6a
commit a01b51fca5
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/plane/app/views/issue/base.py
+1 -1
View File
@@ -1118,7 +1118,7 @@ class IssueBulkUpdateDateEndpoint(BaseAPIView):
epoch = int(timezone.now().timestamp())
# Fetch all relevant issues in a single query
issues = list(Issue.objects.filter(id__in=issue_ids))
issues = list(Issue.objects.filter(id__in=issue_ids, workspace__slug=slug, project_id=project_id))
issues_dict = {str(issue.id): issue for issue in issues}
issues_to_update = []