[WEB-7877] fix(security): enforce token + auth validation on project invite accept/reject

[mguptahub]

Summary

Fixes GHSA-g36h-p63v-g9c7 — Cluster K.

ProjectJoinEndpoint.post() only validated that the caller-supplied email matched the invited email. There was no token requirement and no authentication requirement — anyone who knew the workspace slug, project ID, invite UUID, and invitee email could accept or reject a project invitation on the invitee's behalf.

Changes

views/project/invite.py — ProjectJoinEndpoint.post():

• Validate token from request body against project_invite.token → 403 on missing or mismatched token
• Require authenticated session → 401 if unauthenticated
• Validate request.user.email against project_invite.email → 403 on mismatch
• Remove the old request.data["email"] guard
• Use project_invite.email for downstream User.objects.filter(...) lookup

Pattern

Mirrors WorkspaceJoinEndpoint.post() exactly (fixed in WEB-7854 / PR #9297).

Test plan

• POST with correct token + authenticated as the invited user → accepts/declines successfully
• POST with wrong token → 403
• POST with no token → 403
• POST unauthenticated (even with correct token) → 401
• POST authenticated as a different user (even with correct token) → 403
• GET still works unauthenticated (public serializer, no token exposed)

Summary by CodeRabbit

• Bug Fixes
  • Strengthened project invitation acceptance by requiring a valid invitation token.
  • Added enforcement that requests come from an authenticated session.
  • Verified the authenticated user’s email matches the invite’s email (case-insensitive) before allowing acceptance.
  • Improved handling for invalid request values and mismatched invitation details, with clearer 4xx responses.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 55ab4cf1-89b4-4a5c-b570-cdd8a354ccaa

📥 Commits

Reviewing files that changed from the base of the PR and between 6de5e44 and c03149c.

📒 Files selected for processing (1)

• apps/api/plane/app/views/project/invite.py

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/api/plane/app/views/project/invite.py

---

📝 Walkthrough

Walkthrough

ProjectJoinEndpoint.post now validates a request-body token, requires an authenticated session, checks that the authenticated user's email matches the invite email, and then records a boolean accepted response with responded_at before binding accepted invites to request.user.

Changes

Project Invitation Acceptance Security Hardening

Layer / File(s)	Summary
Token validation, auth, and email-match checks apps/api/plane/app/views/project/invite.py	Reads token from request data, rejects missing or mismatched tokens with 403, rejects unauthenticated requests with 401, and rejects authenticated users whose email does not match the invite email with 403.
Acceptance save and invitee binding apps/api/plane/app/views/project/invite.py	Validates accepted as a boolean on first response, stores accepted and responded_at, and uses request.user as the invitee when the invite is accepted.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• makeplane/plane#9297: Tightens the same invite-acceptance flow with authentication and email-match checks in a closely related endpoint path.

Suggested reviewers

• pablohashescobar
• dheeru0198

🐇 A token now guards the invite gate,
Auth and email must both match the state.
A boolean reply sets the path in place,
Then Bunny hops through with request.user grace.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the security fix to project invite acceptance by adding token and auth validation.
Description check	✅ Passed	The description covers the bug, changes, and test plan, but it doesn't fully match the template sections or include Type of Change and References.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7877/fix-project-invite-token-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7877) fix: enforce token validation on project invite accept/reject

References

• (WEB-7854) fix: prevent workspace invite token disclosure and invite hijack

This comment was auto-generated by Plane

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/api/plane/app/views/project/invite.py`:
- Line 214: The invite acceptance flow in the project invite view currently
assigns request.data["accepted"] directly in the handler, which can treat string
values like "false" as truthy and incorrectly accept invites. Update the
acceptance logic in the invite-handling method so `accepted` is parsed and
validated as a real boolean before it is saved or used to create memberships,
and make sure any non-boolean input is rejected or normalized explicitly.
- Around line 207-220: The invite acceptance flow in the project invite handler
uses a case-insensitive check on request.user.email but then re-queries User by
exact project_invite.email, which can miss the authenticated account or pick the
wrong case variant. Update the acceptance branch in the invite view to use the
already authenticated request.user (the same user validated earlier) when
creating membership-related records, rather than looking up
User.objects.filter(email=project_invite.email).first(). Ensure the later
membership writes and any related logic consistently reference that
authenticated user object.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8743b040-043e-494c-a47d-8f2ef4fa7e3d

📥 Commits

Reviewing files that changed from the base of the PR and between 1e8f363 and 6de5e44.

📒 Files selected for processing (1)

• apps/api/plane/app/views/project/invite.py