[WEB-7855] fix(security): prevent project invite email disclosure via unauthenticated GET

[mguptahub]

Summary

Fixes GHSA-2r58-hgv7-635q — Cluster L part 2.

ProjectJoinEndpoint.get() is AllowAny and was serializing with fields = "__all__" via ProjectMemberInviteSerializer. Anyone who knew the workspace slug, project ID, and invite UUID could retrieve the invitee's email address unauthenticated.

Changes

• serializers/project.py — adds ProjectMemberInvitePublicSerializer with an explicit safe field list (id, project, workspace, role, message, accepted, responded_at) that intentionally excludes email and token
• serializers/__init__.py — exports the new serializer
• views/project/invite.py — ProjectJoinEndpoint.get() now uses ProjectMemberInvitePublicSerializer; the full serializer is retained for authenticated admin viewsets

post() is unchanged — it still requires the caller to supply the invitee email in the request body as verification.

Pattern

Mirrors the fix applied in WEB-7854 (WorkSpaceMemberInvitePublicSerializer) for workspace-level invites.

Test plan

• GET /api/v1/<slug>/projects/<project_id>/invite/<pk>/ returns no email or token fields
• POST /api/v1/<slug>/projects/<project_id>/invite/<pk>/ with correct email still accepts/declines the invite
• POST with wrong email still returns 403
• Authenticated admin list endpoints (ProjectInvitationsViewset) still return full invite data including email

Summary by CodeRabbit

• New Features

  • Project invitation links now return a public-facing view with only the relevant invite details.

• Bug Fixes

  • Sensitive invitation information is no longer included in the invitation GET response.
  • The invite response now consistently exposes read-only fields for safer sharing and viewing.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2ed45802-04d5-4123-8010-e0cfe0c25e4a

📥 Commits

Reviewing files that changed from the base of the PR and between 6c9dbb5 and d2f8b68.

📒 Files selected for processing (3)

• apps/api/plane/app/serializers/__init__.py
• apps/api/plane/app/serializers/project.py
• apps/api/plane/app/views/project/invite.py

---

📝 Walkthrough

Walkthrough

A new read-only serializer, ProjectMemberInvitePublicSerializer, is defined for ProjectMemberInvite with a restricted field set that omits email and token. It is re-exported from the serializers package and the ProjectJoinEndpoint.get() handler is switched to use it.

Changes

Public Invite GET Serializer

Layer / File(s)	Summary
Public invite serializer definition and endpoint wiring apps/api/plane/app/serializers/project.py, apps/api/plane/app/serializers/__init__.py, apps/api/plane/app/views/project/invite.py	ProjectMemberInvitePublicSerializer is added as a BaseSerializer subclass with Meta restricting fields to non-sensitive invite attributes (all read-only). It is re-exported from the serializers package, imported in the invite view, and ProjectJoinEndpoint.get() now uses it instead of ProjectMemberInviteSerializer.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• pablohashescobar
• dheeru0198

Poem

🐇 A secret's a secret, I kept it with care,
No email, no token to float in the air.
The invite hops out with just what you need,
Safe fields only — a tidy good deed!
sniff sniff All clear! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the security fix to prevent invite email disclosure on unauthenticated GET.
Description check	✅ Passed	The description is detailed and covers summary, changes, and test plan, with only some optional template sections omitted.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7855/fix-project-invite-email-disclosure

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7855) fix: prevent project invite email disclosure via unauthenticated GET

References

• (WEB-7854) fix: prevent workspace invite token disclosure and invite hijack

This comment was auto-generated by Plane