fix: Member Information Disclosure via Public Endpoint #8646

2026-02-20 18:33:45 +05:30 · 2026-02-20 18:33:45 +05:30 · f53446340b
commit f53446340b
parent 9070acbbe8
3 changed files with 8 additions and 14 deletions
--- a/apps/api/plane/space/views/project.py
+++ b/apps/api/plane/space/views/project.py
@ -67,6 +67,11 @@ class ProjectMembersEndpoint(BaseAPIView):

    def get(self, request, anchor):
        deploy_board = DeployBoard.objects.filter(anchor=anchor).first()
+        if not deploy_board:
+            return Response(
+                {"error": "Invalid anchor"},
+                status=status.HTTP_404_NOT_FOUND,
+            )

        members = ProjectMember.objects.filter(
            project=deploy_board.project,
@ -75,10 +80,7 @@ class ProjectMembersEndpoint(BaseAPIView):
        ).values(
            "id",
            "member",
-            "member__first_name",
-            "member__last_name",
            "member__display_name",
-            "project",
-            "workspace",
+            "member__avatar",
        )
        return Response(members, status=status.HTTP_200_OK)
--- a/apps/space/core/types/member.d.ts
+++ b/apps/space/core/types/member.d.ts
@ -1,10 +1,6 @@
 export type TPublicMember = {
  id: string;
  member: string;
-  member__avatar: string;
-  member__first_name: string;
-  member__last_name: string;
  member__display_name: string;
-  project: string;
-  workspace: string;
+  member__avatar: string;
 };
--- a/packages/types/src/users.ts
+++ b/packages/types/src/users.ts
@ -194,12 +194,8 @@ export type TProfileViews = "assigned" | "created" | "subscribed";
 export type TPublicMember = {
  id: string;
  member: string;
-  member__avatar: string;
-  member__first_name: string;
-  member__last_name: string;
  member__display_name: string;
-  project: string;
-  workspace: string;
+  member__avatar: string;
 };

 // export interface ICurrentUser {