[WEB-7730] fix(security): scope cascade deletes to workspace in BulkDeleteIssuesEndpoint

[mguptahub]

Summary

• BulkDeleteIssuesEndpoint.delete() correctly scoped the issues queryset to workspace+project, but the cascade deletes on CycleIssue and ModuleIssue used the raw issue_ids from the request
• An attacker could pass issue IDs from another workspace to delete CycleIssue/ModuleIssue records they don't own
• Fix: replace issue_id__in=issue_ids (raw user input) with issue__in=issues (the already-scoped queryset) in both cascade deletes

Affected advisories (Cluster H)

• GHSA-6cw7-h92q-p9hg — Cross-WS destruction via unscoped BulkDeleteIssues
• GHSA-2rr4-rp7r-32p4 — Cross-WS CycleIssue/ModuleIssue deletion via BulkDelete cascade
• GHSA-7q7r-mrr4-2wwx — Cross-WS parent reassign via SubIssues (covered in WEB-7727 / PR [WEB-7727] fix(security): scope issue ID validation to workspace/project in bulk endpoints #9269)

Changes

File	Change
apps/api/plane/app/views/issue/base.py	Replace issue_id__in=issue_ids → issue__in=issues in CycleIssue and ModuleIssue cascade deletes

Test plan

• Call bulk delete with issue IDs from workspace B while authenticated in workspace A — CycleIssue/ModuleIssue records from workspace B should not be deleted
• Verify normal bulk delete still works — issues and their cycle/module memberships in the correct workspace are deleted

Summary by CodeRabbit

• Bug Fixes
  • Fixed bulk deletion of issues to properly remove related cycle and module associations using correct workspace and project filtering, ensuring complete cleanup and preventing orphaned records.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

📝 Walkthrough

Walkthrough

In BulkDeleteIssuesEndpoint.delete, the deletion of related CycleIssue and ModuleIssue records is changed to filter by issue__in=issues (the workspace/project-scoped queryset) instead of issue_id__in=issue_ids (raw IDs from the request payload).

Changes

Bulk Issue Deletion Scoping Fix

Layer / File(s)	Summary
Scoped CycleIssue and ModuleIssue deletion apps/api/plane/app/views/issue/base.py	CycleIssue and ModuleIssue delete calls change from issue_id__in=issue_ids to issue__in=issues, tying related-record deletions to the already workspace- and project-scoped issues queryset rather than the raw request IDs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit once hopped through a field of IDs,
And found some unscoped ones hiding in weeds.
"Use the queryset!" she twitched her small nose,
Now cycles and modules delete with proper scope.
Tidy and safe, as every good burrow should be! 🐇✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The PR description does not follow the required template structure with Type of Change, Screenshots, and Test Scenarios sections.	Restructure the description to match the template: add a Type of Change section with checkboxes, include Screenshots section (even if N/A), and move test scenarios into the proper section format.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main security fix: scoping cascade deletes to the workspace in BulkDeleteIssuesEndpoint, which aligns with the core change in the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7730/fix-bulk-delete-cascade

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7730) Security: Fix cross-WS cascade delete in BulkDeleteIssuesEndpoint

References

• (WEB-7727) Security: Fix cross-tenant IDOR in cycle/sub-issue/relation/module endpoints

This comment was auto-generated by Plane