Merge pull request #4238 from makeplane/preview

release: v0.18-dev

.github/ISSUE_TEMPLATE/--bug-report.yaml

@@ -55,12 +55,19 @@ body:
       - Safari
       - Other
 - type: dropdown
-  id: version
+  id: variant
   attributes:
-    label: Version
+    label: Variant
     options:
       - Cloud
       - Self-hosted
       - Local
+  validations:
+    required: true
+- type: input
+  id: version
+  attributes:
+    label: Version
+    placeholder: v0.17.0-dev
   validations:
     required: true

.github/workflows/codeql.yml

@@ -3,7 +3,7 @@ name: "CodeQL"
 on:
   workflow_dispatch:
   push:
-    branches: ["develop", "preview", "master"]
+    branches: ["preview", "master"]
   pull_request:
     branches: ["develop", "preview", "master"]
   schedule:

Dockerfile

@@ -27,7 +27,7 @@ RUN yarn install
 COPY --from=builder /app/out/full/ .
 COPY turbo.json turbo.json
 COPY replace-env-vars.sh /usr/local/bin/
-USER root
+
 RUN chmod +x /usr/local/bin/replace-env-vars.sh
 
 RUN yarn turbo run build
@@ -89,21 +89,17 @@ RUN chmod -R 777 /code
 
 WORKDIR /app
 
-# Don't run production as root
-RUN addgroup --system --gid 1001 plane
-RUN adduser --system --uid 1001 captain
-
 COPY --from=installer /app/apps/app/next.config.js .
 COPY --from=installer /app/apps/app/package.json .
 COPY --from=installer /app/apps/space/next.config.js .
 COPY --from=installer /app/apps/space/package.json .
 
-COPY --from=installer --chown=captain:plane /app/apps/app/.next/standalone ./
+COPY --from=installer /app/apps/app/.next/standalone ./
 
-COPY --from=installer --chown=captain:plane /app/apps/app/.next/static ./apps/app/.next/static
+COPY --from=installer /app/apps/app/.next/static ./apps/app/.next/static
 
-COPY --from=installer --chown=captain:plane /app/apps/space/.next/standalone ./
-COPY --from=installer --chown=captain:plane /app/apps/space/.next ./apps/space/.next
+COPY --from=installer /app/apps/space/.next/standalone ./
+COPY --from=installer /app/apps/space/.next ./apps/space/.next
 
 ENV NEXT_TELEMETRY_DISABLED 1
 
@@ -118,7 +114,6 @@ ARG NEXT_PUBLIC_API_BASE_URL=http://localhost:8000
 ENV NEXT_PUBLIC_API_BASE_URL=$NEXT_PUBLIC_API_BASE_URL \
     BUILT_NEXT_PUBLIC_API_BASE_URL=$NEXT_PUBLIC_API_BASE_URL
 
-USER root
 COPY replace-env-vars.sh /usr/local/bin/
 COPY start.sh /usr/local/bin/
 RUN chmod +x /usr/local/bin/replace-env-vars.sh

SECURITY.md

@@ -0,0 +1,44 @@
+# Security Policy
+
+This document outlines security procedures and vulnerabilities reporting for the Plane project.
+
+At Plane, we safeguarding the security of our systems with top priority. Despite our efforts, vulnerabilities may still exist. We greatly appreciate your assistance in identifying and reporting any such vulnerabilities to help us maintain the integrity of our systems and protect our clients.
+
+To report a security vulnerability, please email us directly at security@plane.so with a detailed description of the vulnerability and steps to reproduce it. Please refrain from disclosing the vulnerability publicly until we have had an opportunity to review and address it.
+
+## Out of Scope Vulnerabilities
+
+We appreciate your help in identifying vulnerabilities. However, please note that the following types of vulnerabilities are considered out of scope:
+
+- Attacks requiring MITM or physical access to a user's device.
+- Content spoofing and text injection issues without demonstrating an attack vector or ability to modify HTML/CSS.
+- Email spoofing.
+- Missing DNSSEC, CAA, CSP headers.
+- Lack of Secure or HTTP only flag on non-sensitive cookies.
+
+## Reporting Process
+
+If you discover a vulnerability, please adhere to the following reporting process:
+
+1. Email your findings to security@plane.so.
+2. Refrain from running automated scanners on our infrastructure or dashboard without prior consent. Contact us to set up a sandbox environment if necessary.
+3. Do not exploit the vulnerability for malicious purposes, such as downloading excessive data or altering user data.
+4. Maintain confidentiality and refrain from disclosing the vulnerability until it has been resolved.
+5. Avoid using physical security attacks, social engineering, distributed denial of service, spam, or third-party applications.
+
+When reporting a vulnerability, please provide sufficient information to allow us to reproduce and address the issue promptly. Include the IP address or URL of the affected system, along with a detailed description of the vulnerability.
+
+## Our Commitment
+
+We are committed to promptly addressing reported vulnerabilities and maintaining open communication throughout the resolution process. Here's what you can expect from us:
+
+- **Response Time:** We will acknowledge receipt of your report within three business days and provide an expected resolution date.
+- **Legal Protection:** We will not pursue legal action against you for reporting vulnerabilities, provided you adhere to the reporting guidelines.
+- **Confidentiality:** Your report will be treated with strict confidentiality. We will not disclose your personal information to third parties without your consent.
+- **Progress Updates:** We will keep you informed of our progress in resolving the reported vulnerability.
+- **Recognition:** With your permission, we will publicly acknowledge you as the discoverer of the vulnerability.
+- **Timely Resolution:** We strive to resolve all reported vulnerabilities promptly and will actively participate in the publication process once the issue is resolved.
+
+We appreciate your cooperation in helping us maintain the security of our systems and protecting our clients. Thank you for your contributions to our security efforts.
+
+reference: https://supabase.com/.well-known/security.txt

apiserver/Dockerfile.api

@@ -32,28 +32,18 @@ RUN apk add --no-cache --virtual .build-deps \
     apk del .build-deps
 
 
-RUN addgroup -S plane && \
-    adduser -S captain -G plane
-
-RUN chown captain.plane /code
-
-USER captain
-
 # Add in Django deps and generate Django's static files
 COPY manage.py manage.py
 COPY plane plane/
 COPY templates templates/
 COPY package.json package.json
-USER root
+
 RUN apk --no-cache add "bash~=5.2"
 COPY ./bin ./bin/
 
 RUN mkdir -p /code/plane/logs
 RUN chmod +x ./bin/takeoff ./bin/worker ./bin/beat
 RUN chmod -R 777 /code
-RUN chown -R captain:plane /code
-
-USER captain
 
 # Expose container port and run entry point script
 EXPOSE 8000

apiserver/Dockerfile.dev

@@ -30,17 +30,13 @@ ADD requirements ./requirements
 # Install the local development settings
 RUN pip install -r requirements/local.txt --compile --no-cache-dir
 
-RUN addgroup -S plane && \
-    adduser -S captain -G plane
 
 COPY . .
 
 RUN mkdir -p /code/plane/logs
-RUN chown -R captain.plane /code
 RUN chmod -R +x /code/bin
 RUN chmod -R 777 /code
 
-USER captain
 
 # Expose container port and run entry point script
 EXPOSE 8000

apiserver/plane/api/serializers/base.py

@@ -66,11 +66,11 @@ def to_representation(self, instance):
                 if expand in self.fields:
                     # Import all the expandable serializers
                     from . import (
-                        WorkspaceLiteSerializer,
+                        IssueSerializer,
                         ProjectLiteSerializer,
-                        UserLiteSerializer,
                         StateLiteSerializer,
-                        IssueSerializer,
+                        UserLiteSerializer,
+                        WorkspaceLiteSerializer,
                     )
 
                     # Expansion mapper

apiserver/plane/api/serializers/issue.py

@@ -79,7 +79,7 @@ def validate(self, data):
                 parsed_str = html.tostring(parsed, encoding="unicode")
                 data["description_html"] = parsed_str
 
-        except Exception as e:
+        except Exception:
             raise serializers.ValidationError("Invalid HTML passed")
 
         # Validate assignees are from project
@@ -366,7 +366,7 @@ def validate(self, data):
                 parsed_str = html.tostring(parsed, encoding="unicode")
                 data["comment_html"] = parsed_str
 
-        except Exception as e:
+        except Exception:
             raise serializers.ValidationError("Invalid HTML passed")
         return data
 

apiserver/plane/api/serializers/project.py

@@ -7,6 +7,7 @@
     ProjectIdentifier,
     WorkspaceMember,
 )
+
 from .base import BaseSerializer
 
 

apiserver/plane/api/serializers/user.py

@@ -1,5 +1,6 @@
 # Module imports
 from plane.db.models import User
+
 from .base import BaseSerializer
 
 
@@ -10,7 +11,9 @@ class Meta:
             "id",
             "first_name",
             "last_name",
+            "email",
             "avatar",
             "display_name",
+            "email",
         ]
         read_only_fields = fields

apiserver/plane/api/urls/cycle.py

@@ -34,7 +34,7 @@
         name="transfer-issues",
     ),
     path(
-        "workspaces/<str:slug>/projects/<uuid:project_id>/cycles/<uuid:pk>/archive/",
+        "workspaces/<str:slug>/projects/<uuid:project_id>/cycles/<uuid:cycle_id>/archive/",
         CycleArchiveUnarchiveAPIEndpoint.as_view(),
         name="cycle-archive-unarchive",
     ),

apiserver/plane/api/urls/project.py

@@ -12,7 +12,7 @@
         name="project",
     ),
     path(
-        "workspaces/<str:slug>/projects/<uuid:project_id>/",
+        "workspaces/<str:slug>/projects/<uuid:pk>/",
         ProjectAPIEndpoint.as_view(),
         name="project",
     ),

apiserver/plane/api/views/base.py

@@ -7,6 +7,7 @@
 from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist, ValidationError
 from django.db import IntegrityError
+from django.urls import resolve
 from django.utils import timezone
 from rest_framework import status
 from rest_framework.permissions import IsAuthenticated
@@ -165,7 +166,12 @@ def workspace_slug(self):
 
     @property
     def project_id(self):
-        return self.kwargs.get("project_id", None)
+        project_id = self.kwargs.get("project_id", None)
+        if project_id:
+            return project_id
+
+        if resolve(self.request.path_info).url_name == "project":
+            return self.kwargs.get("pk", None)
 
     @property
     def fields(self):