[WEB-7895] fix: scope UserProjectInvitationsViewset to workspace-validated project IDs (GHSA-45hc-q4mw-jhxm)

[mguptahub]

Summary

• Advisory: GHSA-45hc-q4mw-jhxm (High)
• Root cause: UserProjectInvitationsViewset.create() validated the network (SECRET/PUBLIC) check against a workspace-scoped queryset, but used the raw client-supplied project_ids list for all subsequent DB writes. An attacker could include UUIDs of projects from other workspaces — those are absent from the validation queryset (bypassing the SECRET check) yet get inserted as ProjectMember rows via bulk_create(ignore_conflicts=True), granting cross-workspace project access.
• Fix: Derive validated_project_ids = [str(p.id) for p in projects] from the already workspace-scoped, network-checked queryset, and use it exclusively for all ProjectMember and ProjectUserProperty writes.

Changes

apps/api/plane/app/views/project/invite.py

• Added validated_project_ids derived from the workspace-filtered projects queryset
• Replaced project_ids with validated_project_ids in the ProjectMember.objects.filter().update(), ProjectMember.objects.bulk_create(), and ProjectUserProperty.objects.bulk_create() calls

Test plan

• Join a PUBLIC project in own workspace → succeeds
• Join a SECRET project as MEMBER → blocked with 403
• Join a SECRET project as ADMIN → succeeds
• Send project_ids containing UUID of a project in a different workspace → not joined (absent from validated_project_ids)
• Send mix of valid + cross-workspace IDs → only the valid workspace projects are joined

Co-authored-by: Plane AI noreply@plane.so

Summary by CodeRabbit

• Bug Fixes
  • Improved project invite handling to ensure only validated projects are processed.
  • Prevented invites from affecting projects outside the selected workspace.
  • Made membership and project settings updates apply only to eligible projects.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d9257c80-3100-4462-9432-5d45d4fff55c

📥 Commits

Reviewing files that changed from the base of the PR and between 90ae845 and 7d0b33b.

📒 Files selected for processing (1)

• apps/api/plane/app/views/project/invite.py

---

📝 Walkthrough

Walkthrough

In UserProjectInvitationsViewset.create, a validated_project_ids list is derived from the already-filtered projects queryset. This list replaces the raw request.data["project_ids"] in the ProjectMember reactivation filter, the ProjectMember bulk-create loop, and the ProjectUserProperty bulk-create loop.

Changes

Project Invitation ID Validation Fix

Layer / File(s)	Summary
Use validated project IDs in member and property operations apps/api/plane/app/views/project/invite.py	Extracts validated_project_ids from the filtered projects queryset and uses it in place of raw project_ids from the request for ProjectMember reactivation, ProjectMember bulk-create, and ProjectUserProperty bulk-create.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• pablohashescobar
• dheeru0198

Poem

🐇 A sneaky ID slipped through the gate,
Claiming projects from another state.
Now validated_ids hold the key,
Only workspace-checked projects run free.
No cross-workspace tricks shall pass, you see! 🔒

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the fix to scope invitations to validated workspace project IDs.
Description check	✅ Passed	The description covers the bug, fix, changed file, and test plan; only optional template sections are omitted.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7895/join-project-scope-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7895) Security: UserProjectInvitationsViewset allows joining cross-workspace or private projects (GHSA-45hc-q4mw-jhxm)

This comment was auto-generated by Plane