[WEB-7847] fix: enforce workspace membership on entity-search endpoint

[mguptahub]

Summary

• SearchEndpoint (/workspaces/<slug>/entity-search/) required authentication but did not verify the requesting user was a member of the queried workspace
• Any authenticated Plane user could enumerate members of workspaces they don't belong to by knowing or guessing the workspace slug
• Fixes GHSA-32q3-mqpc-3mhv (medium — cross-workspace member enumeration)

Fix

Added a WorkspaceMember guard at the top of SearchEndpoint.get() — returns 403 Forbidden if the requesting user is not an active member of the target workspace.

The EE version already had this protection via @can(WorkspacePermissions.VIEW). This brings OSS to parity.

Files changed: apps/api/plane/app/views/search/base.py (+10 lines)

Test plan

• Authenticated user queries /workspaces/<own-slug>/entity-search/ → 200 OK with results
• Authenticated user queries /workspaces/<other-slug>/entity-search/ for a workspace they don't belong to → 403 Forbidden
• Unauthenticated request → 401 Unauthorized (unchanged, handled by BaseAPIView)

Summary by CodeRabbit

• Security / Bug Fixes
  • Updated search access controls to require proper workspace user authorization.
  • Requests to the search feature are now restricted to active workspace members, helping prevent unauthorized access to workspace data.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 68ef2e48-283e-4410-9644-df305495efc2

📥 Commits

Reviewing files that changed from the base of the PR and between 162ffb1 and 233a96d.

📒 Files selected for processing (1)

• apps/api/plane/app/views/search/base.py

---

📝 Walkthrough

Walkthrough

SearchEndpoint now requires WorkspaceUserPermission via permission_classes, adding authorization enforcement to the endpoint without changing the get logic.

Changes

Search Permission Guard

Layer / File(s)	Summary
SearchEndpoint permission classes apps/api/plane/app/views/search/base.py	SearchEndpoint imports WorkspaceUserPermission and sets it as the endpoint permission class.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• pablohashescobar
• dheeru0198

Poem

🐇 I hopped to search, then found a gate,
With permission checks that guard the state.
Only members may wander through,
A tiny change, crisp and true.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately summarizes the security fix to enforce workspace membership on entity-search.
Description check	✅ Passed	The PR description covers the issue, fix, and test plan, though it omits the template's type-of-change and screenshots sections.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7847/fix-entity-search-ws-guard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7847) fix: prevent cross-workspace member enumeration via entity-search endpoint

This comment was auto-generated by Plane

[dheeru0198]

Suggested change

	class SearchEndpoint(BaseAPIView):
	def get(self, request, slug):
	# Verify the requesting user is an active member of the target workspace.
	# Without this guard any authenticated user can enumerate members of
	# workspaces they do not belong to (GHSA-32q3-mqpc-3mhv).
	if not WorkspaceMember.objects.filter(
	member=request.user,
	workspace__slug=slug,
	is_active=True,
	).exists():
	return Response({"error": "Forbidden"}, status=status.HTTP_403_FORBIDDEN)
	class SearchEndpoint(BaseAPIView):
	permission_classes = (WorkspaceUserPermission, )
	def get(self, request, slug):

Instead of doing inline, please use the existing permission class
@mguptahub

[mguptahub]

Done. Swapped the inline check for permission_classes = (WorkspaceUserPermission,) on SearchEndpoint. WorkspaceUserPermission reads view.workspace_slug which resolves to self.kwargs.get("slug") — matching the URL kwarg — so the enforcement is identical, just in the right layer.