[diff] foss-main vs preview-old (v1.2.3)#26
Closed
aznszn wants to merge 162 commits into
Closed
Conversation
…8644) * fix: idor issues in project assets and issue attachements * fix: comments
Bumps the pip group with 1 update in the /apps/api/requirements directory: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 44.0.1 to 46.0.5 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@44.0.1...46.0.5) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <[email protected]>
* refactor: description input component * fix: add missing prop to rich text editor
…makeplane#8692) Bumps [python-json-logger](https://github.com/nhairs/python-json-logger) from 3.3.0 to 4.0.0. - [Release notes](https://github.com/nhairs/python-json-logger/releases) - [Changelog](https://github.com/nhairs/python-json-logger/blob/main/docs/changelog.md) - [Commits](nhairs/python-json-logger@v3.3.0...v4.0.0) --- updated-dependencies: - dependency-name: python-json-logger dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…8693) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.0 to 9.0.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@7.4.0...9.0.2) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: instance not ready ui revamp * chore: code refactoring * chore: code refactoring
* [WEB-6610] Fix work item drag handle hover gap Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c Co-authored-by: Amp <[email protected]> * fix: use p-0! pl-6! for correct drag handle hover area Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c Co-authored-by: Amp <[email protected]> * fix: update containerClassName to -ml-6 border-none p-0! pl-6! Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c Co-authored-by: Amp <[email protected]> --------- Co-authored-by: Amp <[email protected]>
makeplane#8741) Bumps the actions group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4` | `6` | | [makeplane/actions](https://github.com/makeplane/actions) | `1.0.0` | `1.4.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4` | `7` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.1.0` | `2.5.0` | | [actions/setup-node](https://github.com/actions/setup-node) | `4` | `6` | | [actions/setup-go](https://github.com/actions/setup-go) | `5` | `6` | | [docker/login-action](https://github.com/docker/login-action) | `3` | `4` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3` | `4` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `6.9.0` | `7.0.0` | | [tailscale/github-action](https://github.com/tailscale/github-action) | `2` | `4` | | [actions/cache](https://github.com/actions/cache) | `4` | `5` | Updates `actions/checkout` from 4 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) Updates `makeplane/actions` from 1.0.0 to 1.4.0 - [Release notes](https://github.com/makeplane/actions/releases) - [Commits](makeplane/actions@v1.0.0...v1.4.0) Updates `actions/upload-artifact` from 4 to 7 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v7) Updates `softprops/action-gh-release` from 2.1.0 to 2.5.0 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@v2.1.0...v2.5.0) Updates `actions/setup-node` from 4 to 6 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) Updates `actions/setup-go` from 5 to 6 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v5...v6) Updates `docker/login-action` from 3 to 4 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v3...v4) Updates `docker/setup-buildx-action` from 3 to 4 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v3...v4) Updates `docker/build-push-action` from 6.9.0 to 7.0.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v6.9.0...v7.0.0) Updates `tailscale/github-action` from 2 to 4 - [Release notes](https://github.com/tailscale/github-action/releases) - [Commits](tailscale/github-action@v2...v4) Updates `actions/cache` from 4 to 5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: makeplane/actions dependency-version: 1.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: softprops/action-gh-release dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/build-push-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: tailscale/github-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/cache dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…-core) (makeplane#8751) * fix: remove unused imports and variables (part 1) Resolve oxlint no-unused-vars warnings in packages/*, apps/admin, apps/space, apps/live, and apps/web (non-core). * fix: resolve CI check failures * fix: resolve check:types failures * fix: resolve check:types and check:format failures - Use destructuring alias for activeCycleResolvedPath - Format propel tab-navigation file * fix: format propel button helper with oxfmt Reorder Tailwind classes to match oxfmt canonical ordering.
…s) (makeplane#8752) * fix: remove unused imports and variables (part 2) Resolve oxlint no-unused-vars warnings in apps/web/core/ (excluding components/issues/). * fix: resolve CI check failures * fix: resolve check:types failures
Resolve oxlint no-unused-vars warnings in apps/web/core/components/issues/.
Agent-Logs-Url: https://github.com/Pressingly/plane/sessions/e547eb55-f665-43bb-a581-fadb1224613b Co-authored-by: awais786 <[email protected]>
Agent-Logs-Url: https://github.com/Pressingly/plane/sessions/c9e438f9-104f-440c-9990-21bb292ed8ae Co-authored-by: awais786 <[email protected]>
Agent-Logs-Url: https://github.com/Pressingly/plane/sessions/c9e438f9-104f-440c-9990-21bb292ed8ae Co-authored-by: awais786 <[email protected]>
Agent-Logs-Url: https://github.com/Pressingly/plane/sessions/c9e438f9-104f-440c-9990-21bb292ed8ae Co-authored-by: awais786 <[email protected]>
Three small follow-ups on PR #29 from review: - Inline `_normalise_email(self._read_proxy_email(request))` once into `email` and reuse it for both the mismatch comparison and the DB lookup, removing the second `_normalise_email(proxy_email)` call. - Add `TODO(security)` on `_read_proxy_email` pointing at `fix/proxy-auth-reject-bare-username` for the bare-username synthesis vulnerability this PR preserves but does not address. - Add `test_bypass_dominates_mismatched_proxy_header` to lock in that the bypass check at the top of `__call__` runs before the new mismatch logout flow — guards god-mode local admin sessions from being kicked out by an unrelated mPass identity reaching the same browser. All 22 proxy_auth tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Agent-Logs-Url: https://github.com/Pressingly/plane/sessions/850afff6-c51c-4bfa-8f10-56dfea5d6efa Co-authored-by: awais786 <[email protected]>
…tive Agent-Logs-Url: https://github.com/Pressingly/plane/sessions/e3de1135-e926-4554-b4ad-23ad11cd16aa Co-authored-by: awais786 <[email protected]>
Adds a per-fork deterministic audit that catches regressions of the
cross-app SSO contract in Pressingly/plane BEFORE they reach
foss-server-bundle-devstack. The bundle's CI runs an audit that emits
`?` for fork-side rows because the forks aren't checked out there;
this PR closes that gap from Plane's side.
What it checks
scripts/sso-audit.sh runs three deterministic checks against the
files in this fork that satisfy fork-side rows of
awais786/sso-rules-moneta:openspec/specs/proxy-auth-middleware/spec.md:
Row 14 — logout shape: apps/web/core/store/user/index.ts MUST NOT
call /oauth2/sign_out. Per logout-flow spec the per-app
button is navigation-only; portal "Logout all" handles
oauth2-proxy clearing.
Row 20 — session-identity reconciliation (Rule 2 mismatch flush):
apps/api/plane/authentication/middleware/proxy_auth.py
MUST import django.contrib.auth.logout AND invoke
logout(request). Without it, the stale-session-on-user-
switch leak returns. SECURITY-CRITICAL — exit 1 on miss.
Row 21 — polynomial-regex avoidance: proxy_auth.py +
proxy_auth_utils.py MUST NOT introduce an unanchored
[^\s@]+@[^\s@]+\.[^\s@]+ regex. Plane uses substring
check today, so this is a regression guard.
When upstream sso-rules-moneta adds new fork-side rows, vendor the
updated check by editing this script.
How it's wired
.github/workflows/sso-audit.yml runs the script on:
- pull_request paths: apps/api/plane/authentication/**, apps/web's
auth-related modules, the script itself, the workflow itself
- push to foss-main
- weekly schedule (Mon 09:00 UTC)
- manual workflow_dispatch
Output is published in three places:
- GitHub job summary (always)
- Sticky PR comment via marocchino/sticky-pull-request-comment@v2
(PR runs only — one comment per PR, updated on each push)
- Exit code 1 on security-critical violations → merge blocked
Local dry-run
On foss-main (pre-PR-29 state): row 20 fires ❌ because
proxy_auth.py lacks the django_auth.logout import. Exit 1.
Confirms the gate works.
On fix/proxy-auth-stale-session-on-user-switch: all three rows ✅.
Confirms the gate releases when the fix lands.
Note: the audit script lives at scripts/sso-audit.sh which was
otherwise gitignored under `scripts/`. The .gitignore is updated to a
more specific `scripts/*` glob with a `!scripts/sso-audit.sh`
negation so this single file can be tracked while leaving the rest
of scripts/ ignored.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
All four comments from the PR #32 review are valid. Fixes: #1 (sso-audit.sh:29) — Row 14 description claimed three checks (no /oauth2/sign_out, portal-host redirect, no POST /auth/sign-out/) but the function only verifies the first. Narrows the comment to match what's actually implemented. The other two properties from logout-flow spec need runtime context or AST analysis; not in scope for this deterministic gate. #2 (sso-auth.sh:131) — Row 20 detection was brittle: - Single-line regex missed parenthesized multiline imports (`from django.contrib.auth import (\n login,\n logout,\n)`) - Call regex required exact `logout(request)` — missed whitespace (`logout( request )`), keyword form (`logout(request=request)`), and aliased call sites (`auth_logout(request)`) Could false-fail on legitimate fixes → block merges spuriously. New detection uses Python's `ast` module to parse the proxy_auth.py import block and extract the in-scope name for django.contrib.auth.logout (alias or plain). Then a whitespace-tolerant grep checks for a call to that name. Handles every variant in one pass without writing multi-line regex in bash. Verified against a synthetic fixture with aliased + parenthesized + whitespaced call. #3 (sso-audit.sh:191) — Output referenced `skills/app-rules/SKILL.md`, which lives in awais786/sso-rules-moneta, not in Pressingly/plane. Confused readers of the sticky PR comment. Replaced both repo- relative references with full GitHub URLs so the links work from the PR view. #4 (.github/workflows/sso-audit.yml:62) — `marocchino/sticky-pull- request-comment@v2` needs `pull-requests: write`. PRs from external forks get a read-only GITHUB_TOKEN regardless of declared permissions, and the action errors out, marking the whole workflow failed even when the audit passed. Two-layer fix: - Skip the comment step on fork PRs via `github.event.pull_request.head.repo.full_name == github.repository` - Add `continue-on-error: true` as a defensive belt so other comment-posting failures (rate limit, GitHub API blip) don't fail the audit gate either The audit gate itself (final exit-1 step) is unaffected — still blocks merge on security-critical violations regardless of comment posting. Local dry-run on foss-main still produces the expected red ❌ on row 20 with the new alias-aware detection. Switching to the fix branch detects the import (as `logout`) and the call site correctly. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Copilot review on PR #32 flagged that the `\b` word-boundary in the row-20 grep is a GNU `grep -E` extension and undefined on BSD / POSIX- strict implementations. macOS / Alpine / busybox grep may interpret it as literal backspace or literal `b`, causing the audit to silently miss real `logout(...)` calls and false-fail rows that should pass. Replaced with POSIX character-class boundary: (^|[^[:alnum:]_])<alias>[[:space:]]*\( `(^|[^[:alnum:]_])` matches start-of-line OR any non-word character before the alias name — semantically identical to `\b` at the left edge, but using only ERE constructs that work in every grep implementation. The right edge doesn't need a boundary because `[[:space:]]*\(` already requires the next non-space character to be `(`, which disambiguates `logout(` from `logout_more(`. Verified against six fixtures: - `logout(request)` → match ✅ - `auth_logout( request )` → match ✅ - ` logout(request=request)` → match ✅ - `my_xauth_logout(request)` vs alias=auth_logout → skip ✅ - leading start-of-line → match ✅ - `something_logout(request)` vs alias=logout → skip ✅ The fifth Copilot comment is the last open one; the previous four are addressed by commit 4fb4805. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
…ified The previous message "navigation-only logout shape preserved" overstated what the check actually verifies. The audit only confirms the SPA does NOT call /oauth2/sign_out. It does NOT verify: - whether the SPA POSTs /auth/sign-out/ (it does today — tolerated drift) - what host the SPA navigates to after logout - whether portal "Logout all" is wired correctly The new message states exactly what's checked and acknowledges the tolerated POST /auth/sign-out/ drift so readers don't misread the ✅ as "per-app Logout is fully spec-conformant." Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
…n-user-switch fix: drop stale Django session when proxy identity changes
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
chore(ci): add fork-side SSO audit script + workflow
Plane SSO Fork AuditCross-app contract: https://github.com/awais786/sso-rules-moneta/blob/main/openspec/specs/proxy-auth-middleware/spec.md
All fork-side invariants hold. |
Revert: fork-side SSO audit CI script + workflow
# Conflicts: # .codespellrc # .github/workflows/codespell.yml # apps/admin/Dockerfile.admin # apps/live/Dockerfile.live # apps/space/Dockerfile.space # apps/web/Dockerfile.web
This reverts commit 6357bb2.
revert: retire [email protected] pin (PRs #22 + #28) — fixed upstream in v1.3.1
Sync foss-main with upstream Plane v1.3.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Diff comparison only — shows all custom changes on top of v1.2.3. Do not merge.