fix: Remove account_id from params since it is not used (#13116)

account_id was permitted in strong parameters, allowing authenticated admins to transfer resources (Portals, Automation Rules, Macros) to arbitrary accounts. Fix: Removed account_id from permitted params in 4 controllers: - portals_controller.rb - automation_rules_controller.rb - macros_controller.rb - twilio_channels_controller.rb
2025-12-19 17:07:53 -08:00
parent c22a31c198
commit 86da3f7c06
5 changed files with 20 additions and 17 deletions
--- a/app/controllers/api/v1/accounts/automation_rules_controller.rb
+++ b/app/controllers/api/v1/accounts/automation_rules_controller.rb
@@ -65,7 +65,7 @@ class Api::V1::Accounts::AutomationRulesController < Api::V1::Accounts::BaseCont

  def automation_rules_permit
    params.permit(
-      :name, :description, :event_name, :account_id, :active,
+      :name, :description, :event_name, :active,
      conditions: [:attribute_key, :filter_operator, :query_operator, :custom_attribute_type, { values: [] }],
      actions: [:action_name, { action_params: [] }]
    )
--- a/app/controllers/api/v1/accounts/channels/twilio_channels_controller.rb
+++ b/app/controllers/api/v1/accounts/channels/twilio_channels_controller.rb
@@ -64,7 +64,7 @@ class Api::V1::Accounts::Channels::TwilioChannelsController < Api::V1::Accounts:

  def permitted_params
    params.require(:twilio_channel).permit(
-      :account_id, :messaging_service_sid, :phone_number, :account_sid, :auth_token, :name, :medium, :api_key_sid
+      :messaging_service_sid, :phone_number, :account_sid, :auth_token, :name, :medium, :api_key_sid
    )
  end
 end
--- a/app/controllers/api/v1/accounts/macros_controller.rb
+++ b/app/controllers/api/v1/accounts/macros_controller.rb
@@ -60,7 +60,7 @@ class Api::V1::Accounts::MacrosController < Api::V1::Accounts::BaseController

  def permitted_params
    params.permit(
-      :name, :account_id, :visibility,
+      :name, :visibility,
      actions: [:action_name, { action_params: [] }]
    )
  end
--- a/app/controllers/api/v1/accounts/portals_controller.rb
+++ b/app/controllers/api/v1/accounts/portals_controller.rb
@@ -78,7 +78,7 @@ class Api::V1::Accounts::PortalsController < Api::V1::Accounts::BaseController

  def portal_params
    params.require(:portal).permit(
-      :id, :account_id, :color, :custom_domain, :header_text, :homepage_link,
+      :id, :color, :custom_domain, :header_text, :homepage_link,
      :name, :page_title, :slug, :archived, { config: [:default_locale, { allowed_locales: [] }] }
    )
  end