LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

fix: Validate blob before attaching it to a record (#13115)

Browse Source 
Previously, attachments relied only on blob_id, which made it possible
to attach blobs across accounts by enumerating IDs. We now require both
blob_id and blob_key, add cross-account validation to prevent blob
reuse, and centralize the logic in a shared BlobOwnershipValidation
concern.

It also fixes a frontend bug where mixed-type action params (number +
string) were incorrectly dropped, causing attachment uploads to fail.
This commit is contained in:
Pranav
2025-12-19 19:02:21 -08:00
committed by GitHub
parent 86da3f7c06
commit 2adc040a8f
9 changed files with 278 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/api/v1/accounts/upload_controller.rb
View File

@@ -59,7 +59,7 @@ class Api::V1::Accounts::UploadController < Api::V1::Accounts::BaseController
end
def render_success(file_blob)
render json: { file_url: url_for(file_blob), blob_key: file_blob.key, blob_id: file_blob.id }
render json: { file_url: url_for(file_blob), blob_id: file_blob.signed_id }
end
def render_error(message, status)