From 5704594c9816d9fc554eb63be538c84204b94f97 Mon Sep 17 00:00:00 2001
From: okxint <cashmein.eth@gmail.com>
Date: Thu, 18 Jun 2026 15:28:08 +0530
Subject: [PATCH] fix: scope workspace user preference filter to current user

Without user=request.user on the PATCH filter, the ORM could match
another user's preference record in the same workspace, causing
pin/unpin state to leak across users or silently fail to persist.

Fixes #9260

Signed-off-by: okxint <cashmein.eth@gmail.com>
---
 apps/api/plane/app/views/workspace/user_preference.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/api/plane/app/views/workspace/user_preference.py b/apps/api/plane/app/views/workspace/user_preference.py
index 83e380b9ec1..4e28fa57ec0 100644
--- a/apps/api/plane/app/views/workspace/user_preference.py
+++ b/apps/api/plane/app/views/workspace/user_preference.py
@@ -85,7 +85,7 @@ def patch(self, request, slug):
             if not key:
                 continue
 
-            preference = WorkspaceUserPreference.objects.filter(key=key, workspace__slug=slug).first()
+            preference = WorkspaceUserPreference.objects.filter(key=key, workspace__slug=slug, user=request.user).first()
 
             if not preference:
                 continue