The bulk update date endpoint fetched issues by ID without filtering
by workspace or project, allowing any authenticated project member to
modify start_date and target_date of issues in any workspace/project
across the entire instance (IDOR - CWE-639).
Scoped the query to include workspace__slug and project_id filters,
consistent with other issue endpoints in the codebase.
Ref: GHSA-4q54-h4x9-m329
Fixes#6746
API-driven issue updates (PUT update, PUT create-via-upsert, PATCH) were
missing `model_activity.delay()` calls, so webhooks were never dispatched
for changes made through the API. The web UI paths already include these
calls (e.g. in `post()` at L475), but the `put()` and `partial_update()`
methods only called `issue_activity.delay()`.
This adds `model_activity.delay()` immediately after each existing
`issue_activity.delay()` in these three code paths, using the same
signature as the existing call in `post()`.
Tested on Plane CE v1.2.1 self-hosted: API PATCH triggers
`webhook_send_task` in the Celery worker, confirming webhook delivery.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: enhance authentication logging with detailed error and info messages
- Added logging for various authentication events in the Adapter and its subclasses, including email validation, user existence checks, and password strength validation.
- Implemented error handling for GitHub OAuth email retrieval, ensuring proper logging of unexpected responses and missing primary emails.
- Updated logging configuration in local and production settings to include a dedicated logger for authentication events.
* chore: address copilot comments
* chore: addressed some additional comments
* chore: update log
* fix: lint
* chore: updated the logic for page version task
* chore: updated the html variable
* chore: handled the exception
* chore: changed the function name
* chore: added a custom variable
* chore: update ProjectSerializer to raise validation for special characters in name and identifier
* chore: update external endpoints
* fix: external api serializer validation
* update serializer to send error code
* fix: move the regex expression to Project model
- Modified the invite link to include a token for enhanced security.
- Updated the WorkspaceJoinEndpoint to validate the token instead of the email.
- Adjusted the workspace invitation task to generate links with the token.
- Refactored the frontend to handle token in the invitation process.
Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>
* fix: allow markdown file attachments
- Add text/markdown to ATTACHMENT_MIME_TYPES
- Fixes issue where .md files were rejected with 'Invalid file type' error
* added the support for frontend mime type too
* refactor: rename IssueUserProperty to ProjectUserProperty and update related references across the codebase
* migrate: move issue user properties to project user properties and update related fields and constraints
* refactor: rename IssueUserPropertySerializer and IssueUserDisplayPropertyEndpoint to ProjectUserPropertySerializer and ProjectUserDisplayPropertyEndpoint, updating all related references
* fix: enhance ProjectUserDisplayPropertyEndpoint to handle missing properties by creating new entries and improve response handling
* fix: correct formatting in migration for ProjectUserProperty model options
* migrate: add migration to update existing non-service API tokens to remove workspace association
* migrate: refine migration to update existing non-service API tokens by excluding bot users from workspace removal
* chore: changed the project sort order in project user property
* chore: remove allowed_rate_limit from APIToken
* chore: updated user-properties endpoint for frontend
* chore: removed the extra projectuserproperty
* chore: updated the migration file
* chore: code refactor
* fix: type error
---------
Co-authored-by: NarayanBavisetti <narayan3119@gmail.com>
Co-authored-by: sangeethailango <sangeethailango21@gmail.com>
Co-authored-by: vamsikrishnamathala <matalav55@gmail.com>
Co-authored-by: Anmol Singh Bhatia <anmolsinghbhatia@plane.so>
* migration: added version field in webhook
* chore: add max_length
* chore: added product tour fields
* chore: updated the migration file
* chore: removed the duplicated migration file
* chore: added allowed_rate_limit for api_tokens
* chore: changed key feature tour to product tour
* chore: added is_subscribed_to_changelog field
---------
Co-authored-by: NarayanBavisetti <narayan3119@gmail.com>
* fix: using base url of a redirect url
* chore: internal networks check for the final_url
* fix: none final_url
* fix: exception handling
* fix: exception handling
* chore: remove unused imports
* refactor: moved ip address check logic into separate function
* fix: ValueError logic
