From 3bfb998d06f1d2db54dff9670f97677b81e1b3d2 Mon Sep 17 00:00:00 2001
From: sriramveeraghanta <veeraghanta.sriram@gmail.com>
Date: Fri, 20 Feb 2026 17:46:31 +0530
Subject: [PATCH 1/2] fix: idor issues in project assets and issue attachements

---
 apps/api/plane/app/views/asset/v2.py         | 2 +-
 apps/api/plane/app/views/issue/attachment.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/api/plane/app/views/asset/v2.py b/apps/api/plane/app/views/asset/v2.py
index 2961ec4bace..62c5f84a20b 100644
--- a/apps/api/plane/app/views/asset/v2.py
+++ b/apps/api/plane/app/views/asset/v2.py
@@ -579,7 +579,7 @@ def post(self, request, slug, project_id):
     @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST])
     def patch(self, request, slug, project_id, pk):
         # get the asset id
-        asset = FileAsset.objects.get(id=pk)
+        asset = FileAsset.objects.get(id=pk, workspace__slug=slug, project_id=project_id)
         # get the storage metadata
         asset.is_uploaded = True
         # get the storage metadata
diff --git a/apps/api/plane/app/views/issue/attachment.py b/apps/api/plane/app/views/issue/attachment.py
index f0c55763ed1..5882a461311 100644
--- a/apps/api/plane/app/views/issue/attachment.py
+++ b/apps/api/plane/app/views/issue/attachment.py
@@ -60,7 +60,7 @@ def post(self, request, slug, project_id, issue_id):
 
     @allow_permission([ROLE.ADMIN], creator=True, model=FileAsset)
     def delete(self, request, slug, project_id, issue_id, pk):
-        issue_attachment = FileAsset.objects.get(pk=pk)
+        issue_attachment = FileAsset.objects.get(pk=pk, workspace__slug=slug, project_id=project_id, issue_id=issue_id)
         issue_attachment.asset.delete(save=False)
         issue_attachment.delete()
         issue_activity.delay(

From b0446cce0d9f1be7de968ede6599d91502b20b21 Mon Sep 17 00:00:00 2001
From: sriramveeraghanta <veeraghanta.sriram@gmail.com>
Date: Fri, 20 Feb 2026 18:00:16 +0530
Subject: [PATCH 2/2] fix: comments

---
 apps/api/plane/app/views/issue/attachment.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/api/plane/app/views/issue/attachment.py b/apps/api/plane/app/views/issue/attachment.py
index 5882a461311..fa03ae5f1c3 100644
--- a/apps/api/plane/app/views/issue/attachment.py
+++ b/apps/api/plane/app/views/issue/attachment.py
@@ -60,7 +60,11 @@ def post(self, request, slug, project_id, issue_id):
 
     @allow_permission([ROLE.ADMIN], creator=True, model=FileAsset)
     def delete(self, request, slug, project_id, issue_id, pk):
-        issue_attachment = FileAsset.objects.get(pk=pk, workspace__slug=slug, project_id=project_id, issue_id=issue_id)
+        issue_attachment = FileAsset.objects.filter(
+            pk=pk, workspace__slug=slug, project_id=project_id, issue_id=issue_id
+        ).first()
+        if not issue_attachment:
+            return Response(status=status.HTTP_404_NOT_FOUND)
         issue_attachment.asset.delete(save=False)
         issue_attachment.delete()
         issue_activity.delay(