LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix: Validate blob before attaching it to a record (#13115)

Browse Source 
Previously, attachments relied only on blob_id, which made it possible
to attach blobs across accounts by enumerating IDs. We now require both
blob_id and blob_key, add cross-account validation to prevent blob
reuse, and centralize the logic in a shared BlobOwnershipValidation
concern.

It also fixes a frontend bug where mixed-type action params (number +
string) were incorrectly dropped, causing attachment uploads to fail.
This commit is contained in:
Pranav
2025-12-19 19:02:21 -08:00
committed by GitHub
parent 86da3f7c06
commit 2adc040a8f
9 changed files with 278 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/locales/en.yml
View File

@@ -62,6 +62,8 @@ en:
failed: Signup failed
assignment_policy:
not_found: Assignment policy not found
attachments:
invalid: Invalid attachment
saml:
feature_not_enabled: SAML feature not enabled for this account
sso_not_enabled: SAML SSO is not enabled for this installation