apps/server/src/core/page/transclusion/page-template.controller.ts

@@ -67,6 +67,12 @@ export class PageTemplateController {
       throw new NotFoundException('Page not found');
     }
 
+    if (page.workspaceId !== user.workspaceId) {
+      // Defense-in-depth: never act on a page outside the caller's workspace.
+      // Use NotFound (not Forbidden) to avoid leaking cross-workspace existence.
+      throw new NotFoundException('Page not found');
+    }
+
     await this.pageAccessService.validateCanEdit(page, user);
 
     const isTemplate =

apps/server/src/core/page/transclusion/transclusion.service.ts

@@ -317,6 +317,7 @@ export class TransclusionService {
     if (toDelete.length > 0) {
       await this.pageTemplateReferencesRepo.deleteByReferenceAndSources(
         referencePageId,
+        workspaceId,
         toDelete,
         trx,
       );

apps/server/src/database/repos/page-template-references/page-template-references.repo.ts

@@ -38,12 +38,15 @@ export class PageTemplateReferencesRepo {
 
   async deleteByReferenceAndSources(
     referencePageId: string,
+    workspaceId: string,
     sourcePageIds: string[],
     trx?: KyselyTransaction,
   ): Promise<void> {
     if (sourcePageIds.length === 0) return;
     await dbOrTx(this.db, trx)
       .deleteFrom('pageTemplateReferences')
+      // Defense-in-depth: scope deletes to the caller's workspace.
+      .where('workspaceId', '=', workspaceId)
       .where('referencePageId', '=', referencePageId)
       .where('sourcePageId', 'in', sourcePageIds)
       .execute();