Fix project member update authorization

[gauravbsinghal]

Finding

Niro TC-1A95641A found that a project guest could PATCH another project member record with { "is_active": false }, deactivating that user's project membership.

Original PoC

As a project guest, PATCH /api/workspaces/<slug>/projects/<project_id>/members/<victim_membership_id>/ with JSON body { "is_active": false }. Before this fix the API returned 200 OK, persisted is_active=false, and the victim lost access to project member endpoints.

Red test on unfixed code

plane/tests/contract/app/test_project_app.py F

___ TestProjectMemberAPI.test_guest_cannot_deactivate_another_project_member ___

>       assert response.status_code == status.HTTP_403_FORBIDDEN
E       assert 200 == 403
E        +  where 200 = <Response status_code=200, "application/json">.status_code
E        +  and   403 = status.HTTP_403_FORBIDDEN

FAILED plane/tests/contract/app/test_project_app.py::TestProjectMemberAPI::test_guest_cannot_deactivate_another_project_member
============================== 1 failed in 1.58s ===============================

Green test on fixed code

plane/tests/contract/app/test_project_app.py .

============================== 1 passed in 1.00s ===============================

Fix

Restrict ProjectMemberViewSet.partial_update to project admins, matching membership create/delete behavior. Added a regression test asserting guests cannot deactivate another project member and the victim remains active.

Pentested and fixed by Niro

Summary by CodeRabbit

• Security
  • Tightened project member update permissions to administrators only. Members and guests are now prevented from modifying project member information and records. Unauthorized update attempts will result in a 403 Forbidden error.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Gaurav Singhal seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 48979a99-8010-48ff-a8b3-658c2e0f2fad

📥 Commits

Reviewing files that changed from the base of the PR and between 6c9dbb5 and 9931549.

📒 Files selected for processing (2)

• apps/api/plane/app/views/project/member.py
• apps/api/plane/tests/contract/app/test_project_app.py

---

📝 Walkthrough

Walkthrough

The partial_update endpoint on ProjectMemberViewSet has its @allow_permission decorator narrowed from [ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST] to [ROLE.ADMIN] only. A new contract test class TestProjectMemberAPI is added, with one test confirming a guest receives HTTP 403 and cannot alter another member's is_active state.

Changes

Permission Restriction on ProjectMember partial_update

Layer / File(s)	Summary
Restrict partial_update to ADMIN and verify with contract test apps/api/plane/app/views/project/member.py, apps/api/plane/tests/contract/app/test_project_app.py	@allow_permission on partial_update is changed from [ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST] to [ROLE.ADMIN]. A new TestProjectMemberAPI.test_guest_cannot_deactivate_another_project_member test authenticates as a guest, PATCHes a victim member record with is_active=False, asserts 403, and confirms is_active remains True via refresh_from_db().

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 A single line, a rule made tight,
No guest shall dim another's light.
The admin key unlocks the gate,
While guests must simply sit and wait.
One test to prove the door stays shut—
Hop along, the fix is cut! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: restricting authorization for the project member update endpoint to admins only.
Description check	✅ Passed	The description provides comprehensive details including the vulnerability, PoC, test results before/after the fix, and the solution. All key template sections are covered with substantive content.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}