From 7a8d38f6d2da8d418b791a9e41baa7caa26fbc08 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Fri, 3 Apr 2026 19:45:38 +0700
Subject: [PATCH] fix(security): potential unauthenticated object creation
 endpoint

`CreateInternalIssue` exposes `CreateAPIView` without an explicit `permission_classes` declaration. If global DRF permissions are permissive, attackers could create or mutate internal issue records without authorization.

Affected files: internal_issue.py

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 treeherder/webapp/api/internal_issue.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/treeherder/webapp/api/internal_issue.py b/treeherder/webapp/api/internal_issue.py
index 33cb63d6701..6ae65b95d29 100644
--- a/treeherder/webapp/api/internal_issue.py
+++ b/treeherder/webapp/api/internal_issue.py
@@ -1,4 +1,4 @@
-from rest_framework import generics
+from rest_framework import generics, permissions
 
 from treeherder.webapp.api.serializers import InternalIssueSerializer
 
@@ -12,3 +12,4 @@ class CreateInternalIssue(generics.CreateAPIView):
     """
 
     serializer_class = InternalIssueSerializer
+    permission_classes = [permissions.IsAuthenticated]