fix: added workspace member check in allow permission for creator

[NarayanBavisetti]

Description

this pull request adds a check to verify whether the creator is part and active in the workspace or not.

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Summary by CodeRabbit

• Bug Fixes
  • Enhanced authorization checks to verify workspace membership before allowing access to resources, ensuring unauthorized users receive appropriate error responses.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5d008b69-4d25-4ced-8f94-c4582e306c8e

📥 Commits

Reviewing files that changed from the base of the PR and between 1faf06c and 302e446.

📒 Files selected for processing (1)

• apps/api/plane/app/permissions/base.py

---

📝 Walkthrough

Walkthrough

An early authorization check is added to the allow_permission decorator with creator=True and model parameters. The decorator now verifies the requesting user is an active WorkspaceMember before proceeding to object ownership verification, immediately returning HTTP 403 if not.

Changes

Cohort / File(s)	Summary
Authorization Enhancement apps/api/plane/app/permissions/base.py	Added early WorkspaceMember active status check in the allow_permission decorator to prevent unauthorized access before object ownership validation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A guardian check, early and keen,
Before the secrets can be seen,
Active members pass right through,
While others find the door is new—
Security strengthened, hop hooray!

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description covers the main objective but lacks detail. Required sections like Test Scenarios and References are missing, and the Description section is minimal.	Expand the Description with more context on why this check was needed, and add Test Scenarios section describing verification steps and any related issues/references.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a workspace member check in the allow_permission decorator for creator-based authorization.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore-workspace-member-permission-check

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can validate your CodeRabbit configuration file in your editor.

If your editor has YAML language server, you can enable auto-completion and validation by adding # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json at the top of your CodeRabbit configuration file.

[Copilot]

Pull request overview

This PR updates the API permission decorator to ensure “creator” shortcut access is only granted when the requesting user is an active member of the workspace referenced by the request.

Changes:

• Added an active WorkspaceMember existence check in the creator=True permission path.
• Returns a 403 response when the requester is not an active workspace member.