Pranav
2adc040a8f
fix: Validate blob before attaching it to a record ( #13115 )
...
Previously, attachments relied only on blob_id, which made it possible
to attach blobs across accounts by enumerating IDs. We now require both
blob_id and blob_key, add cross-account validation to prevent blob
reuse, and centralize the logic in a shared BlobOwnershipValidation
concern.
It also fixes a frontend bug where mixed-type action params (number +
string) were incorrectly dropped, causing attachment uploads to fail.
2025-12-19 19:02:21 -08:00
Pranav
86da3f7c06
fix: Remove account_id from params since it is not used ( #13116 )
...
account_id was permitted in strong parameters, allowing authenticated
admins to transfer resources (Portals, Automation Rules, Macros) to
arbitrary accounts.
Fix: Removed account_id from permitted params in 4 controllers:
- portals_controller.rb
- automation_rules_controller.rb
- macros_controller.rb
- twilio_channels_controller.rb
2025-12-19 17:07:53 -08:00
Shivam Mishra
9ebabb9832
feat: common attachment endpoint follow-up changes ( #7826 )
2023-09-01 15:18:48 +07:00
Sojan Jose
7ab7bac6bf
chore: Enable the new Rubocop rules ( #7122 )
...
fixes: https://linear.app/chatwoot/issue/CW-1574/renable-the-disabled-rubocop-rules
2023-05-19 14:37:10 +05:30
Tejaswini Chile
48373628a1
fix: Macros authorizations ( #5779 )
...
Macros policy update.
ref: #5730
2022-11-07 17:46:00 -08:00
Tejaswini Chile
a274a1702a
chore: Macros enhancement ( #5609 )
...
- Fixed send_attachment and send_email_transcript
- Fixed duplicate activity messages
- Fixed Order of execution
Fixes : #5584
2022-10-20 19:41:48 -07:00
Tejaswini Chile
111016fe4c
fix: Add not found status if macro not found ( #5473 )
2022-09-21 14:10:35 +05:30
Tejaswini Chile
6a4c0a1578
feat: Execute macro actions, for the conversation ( #5066 )
2022-07-26 12:41:22 +05:30
Tejaswini Chile
0cee42a9f9
feat: Macros CRUD api ( #5047 )
2022-07-19 17:37:00 +05:30
