fix: Remove account_id from params since it is not used (#13116)

account_id was permitted in strong parameters, allowing authenticated admins to transfer resources (Portals, Automation Rules, Macros) to arbitrary accounts. Fix: Removed account_id from permitted params in 4 controllers: - portals_controller.rb - automation_rules_controller.rb - macros_controller.rb - twilio_channels_controller.rb
2025-12-19 17:07:53 -08:00
parent c22a31c198
commit 86da3f7c06
5 changed files with 20 additions and 17 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -140,24 +140,27 @@ GEM
      actionmailbox (>= 7.1.0)
      aws-sdk-s3 (~> 1, >= 1.123.0)
      aws-sdk-sns (~> 1, >= 1.61.0)
-    aws-eventstream (1.2.0)
+    aws-eventstream (1.4.0)
-    aws-partitions (1.760.0)
+    aws-partitions (1.1198.0)
-    aws-sdk-core (3.188.0)
+    aws-sdk-core (3.240.0)
-      aws-eventstream (~> 1, >= 1.0.2)
+      aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
+      aws-partitions (~> 1, >= 1.992.0)
-      aws-sigv4 (~> 1.5)
+      aws-sigv4 (~> 1.9)
      base64
      bigdecimal
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.64.0)
+      logger
-      aws-sdk-core (~> 3, >= 3.165.0)
+    aws-sdk-kms (1.118.0)
-      aws-sigv4 (~> 1.1)
+      aws-sdk-core (~> 3, >= 3.239.1)
-    aws-sdk-s3 (1.126.0)
+      aws-sigv4 (~> 1.5)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-s3 (1.208.0)
      aws-sdk-core (~> 3, >= 3.234.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.4)
+      aws-sigv4 (~> 1.5)
    aws-sdk-sns (1.70.0)
      aws-sdk-core (~> 3, >= 3.188.0)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.5.2)
+    aws-sigv4 (1.12.1)
      aws-eventstream (~> 1, >= 1.0.2)
    barnes (0.0.9)
      multi_json (~> 1)
--- a/app/controllers/api/v1/accounts/automation_rules_controller.rb
+++ b/app/controllers/api/v1/accounts/automation_rules_controller.rb
@@ -65,7 +65,7 @@ class Api::V1::Accounts::AutomationRulesController < Api::V1::Accounts::BaseCont
  def automation_rules_permit
    params.permit(
-      :name, :description, :event_name, :account_id, :active,
+      :name, :description, :event_name, :active,
      conditions: [:attribute_key, :filter_operator, :query_operator, :custom_attribute_type, { values: [] }],
      actions: [:action_name, { action_params: [] }]
    )
--- a/app/controllers/api/v1/accounts/channels/twilio_channels_controller.rb
+++ b/app/controllers/api/v1/accounts/channels/twilio_channels_controller.rb
@@ -64,7 +64,7 @@ class Api::V1::Accounts::Channels::TwilioChannelsController < Api::V1::Accounts:
  def permitted_params
    params.require(:twilio_channel).permit(
-      :account_id, :messaging_service_sid, :phone_number, :account_sid, :auth_token, :name, :medium, :api_key_sid
+      :messaging_service_sid, :phone_number, :account_sid, :auth_token, :name, :medium, :api_key_sid
    )
  end
 end
--- a/app/controllers/api/v1/accounts/macros_controller.rb
+++ b/app/controllers/api/v1/accounts/macros_controller.rb
@@ -60,7 +60,7 @@ class Api::V1::Accounts::MacrosController < Api::V1::Accounts::BaseController
  def permitted_params
    params.permit(
-      :name, :account_id, :visibility,
+      :name, :visibility,
      actions: [:action_name, { action_params: [] }]
    )
  end
--- a/app/controllers/api/v1/accounts/portals_controller.rb
+++ b/app/controllers/api/v1/accounts/portals_controller.rb
@@ -78,7 +78,7 @@ class Api::V1::Accounts::PortalsController < Api::V1::Accounts::BaseController
  def portal_params
    params.require(:portal).permit(
-      :id, :account_id, :color, :custom_domain, :header_text, :homepage_link,
+      :id, :color, :custom_domain, :header_text, :homepage_link,
      :name, :page_title, :slug, :archived, { config: [:default_locale, { allowed_locales: [] }] }
    )
  end