A single PR adding Pages CRUD to the public v1 API had basic unit tests but missed authorization bypass, rate limiting, and cross-workspace isolation. OrangePro surfaced all 6 from one pull request.
Every requirement extracted from the PR, mapped to existing tests and verified against the codebase. Click any row to see the search evidence.
Coverage Distribution
Requirement Coverage
| # | Requirement | Code Symbol | Existing Test | Status | |
|---|---|---|---|---|---|
R1 GET /pages/ returns paginated list of project pages PageListCreateAPIEndpoint Unit COVERED | |||||
R2 POST /pages/ creates page with valid data and permissions PageListCreateAPIEndpoint Unit (partial) PARTIAL | |||||
R3 API rejects requests without valid authentication APIKeyAuthentication None GAP | |||||
R4 API prevents cross-workspace page access PageDetailAPIEndpoint None GAP | |||||
R5 DELETE /pages/:id requires appropriate permissions PageDetailAPIEndpoint Partial PARTIAL | |||||
R6 API sanitizes input to prevent XSS in page content PageAPISerializer None GAP | |||||
R7 API enforces rate limiting on page creation throttle_classes None GAP | |||||
R8 API returns proper error responses for invalid page IDs PageDetailAPIEndpoint None GAP | |||||
R9 API key with read-only scope cannot create/update/delete pages APIKeyAuthentication None GAP | |||||
GET /pages/ returns paginated list of project pages
POST /pages/ creates page with valid data and permissions
API rejects requests without valid authentication
API prevents cross-workspace page access
DELETE /pages/:id requires appropriate permissions
API sanitizes input to prevent XSS in page content
API enforces rate limiting on page creation
API returns proper error responses for invalid page IDs
API key with read-only scope cannot create/update/delete pages
These gaps were verified by searching the repository's test directories. Each finding includes the exact search query and result so you can reproduce it yourself.
The v1 API exposes page data across workspaces. No test validates that workspace-level isolation is enforced — a user from workspace A should never access workspace B's pages via the API.
Page title and description fields accept user input that gets rendered in the UI. No test in apiserver/tests/ validates that malicious input (script tags, SQL injection payloads) is properly sanitized.
The API supports scoped API keys (read-only, read-write), but no test validates that a read-only key is rejected when attempting POST, PATCH, or DELETE operations on page endpoints.
| Requirement | Before | After |
|---|---|---|
| GET /pages/ returns paginated list | ✓ Unit | ✓ Unit + Integration |
| POST /pages/ with valid permissions | ~ Partial | ✓ Unit + E2E |
| Unauthenticated request rejection | ✗ None | ✓ Integration |
| Cross-workspace page isolation | ✗ None | ✓ Integration + E2E |
| Unauthorized delete prevention | ~ Partial | ✓ Integration + E2E |
| XSS input sanitization | ✗ None | ✓ Unit + Integration |
| Rate limiting enforcement | ✗ None | ✓ Integration |
| Error responses for invalid IDs | ✗ None | ✓ Unit |
| API key scope enforcement | ✗ None | ✓ Integration + E2E |
Every finding in this analysis is based on a public GitHub repository. Clone the repo, run the searches we documented, and see the same results. No black boxes.