leadchat/app/models at 284977687c5e3ba764e5228106db0971742ff85c - leadchat - LeadGit

LeadMagnet/leadchat

Files

History

Shivam Mishra 284977687c fix: patch Devise confirmable race condition vulnerability (#13843 )

Devise 4.9.x has a race condition in the reconfirmable flow where
concurrent email change requests can desynchronize the confirmation
token from `unconfirmed_email`, letting an attacker confirm an email
they don't own. We use `:confirmable` with `reconfirmable = true`, so
we're directly exposed.

The upstream fix is in Devise 5.0.3, but we can't upgrade —
`devise-two-factor` only supports Devise 5 from v6.4.0, which also
raised its Rails minimum to 7.2+. No released version supports both
Devise 5 and Rails 7.1.

This PR ports the Devise 5.0.3 fix locally by overriding
`postpone_email_change_until_confirmation_and_regenerate_confirmation_token`
on the User model to persist the record before regenerating the token.
This is a stopgap — remove it once the dependency chain allows upgrading
to Devise 5.

### How to test

Sign in as a confirmed user and change your email. The app should send a
confirmation to the new address while keeping the current email
unchanged until confirmed.

2026-03-18 21:30:09 -07:00

..

feat(widget): Allow widget loading in mobile app WebViews when domain restrictions are set (#13763 )

2026-03-17 14:29:41 +04:00

feat: trigger assignment on resolve (#13780 )

2026-03-16 13:13:37 +05:30

Revert "chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037 )"

2026-02-03 21:09:42 -08:00

access_token.rb

Feature: Access tokens for API access (#604 )

2020-03-11 00:02:15 +05:30

account_user.rb

feat: Add migration files for assignment v2 (#12147 )

2025-08-11 21:44:38 -07:00

account.rb

feat: Add force legacy auto-resolve flag (#13804 )

2026-03-13 15:04:58 -07:00

agent_bot_inbox.rb

Feature: Access tokens for API access (#604 )

2020-03-11 00:02:15 +05:30

agent_bot.rb

feat: APIs to assign agents_bots as assignee in conversations (#12836 )

2025-11-18 18:20:58 -08:00

application_record.rb

chore: fix sla email notifications (#9192 )

2024-04-04 21:16:49 +05:30

article.rb

feat(help-center): enable drag-and-drop category reordering (#13706 )

2026-03-05 12:53:38 +05:30

assignment_policy.rb

chore(annotations): sync model annotations with current schema (#12245 )

2025-08-20 20:23:42 +02:00

attachment.rb

fix: Handle Facebook reel attachment type (#13691 )

2026-03-06 08:49:41 +04:00

automation_rule.rb

feat: add mark pending action to automation (#13378 )

2026-02-02 11:59:51 +05:30

campaign.rb

feat: WhatsApp campaigns (#11910 )

2025-07-16 09:04:02 +05:30

canned_response.rb

chore: Apply fixes for items in rubocop_todo [CW-1806] (#8864 )

2024-02-07 13:36:04 +04:00

category.rb

feat: Add draft status for help center locales (#13768 )

2026-03-17 12:45:54 +04:00

contact_inbox.rb

fix: Change contact_inboxes.source_id to text column (#12882 )

2025-11-17 16:09:36 +05:30

contact.rb

fix: prevent deserialization error on deletion (#13264 )

2026-01-14 18:00:12 +05:30

conversation_participant.rb

chore: Add controllers for conversation participants (#6462 )

2023-02-15 16:33:31 -08:00

conversation.rb

fix: optimize message query with account_id filter (#13759 )

2026-03-10 16:46:20 -07:00

csat_survey_response.rb

feat(ee): Review Notes for CSAT Reports (#13289 )

2026-01-15 19:53:57 -08:00

custom_attribute_definition.rb

feat: harden filter service

2026-03-09 21:19:20 +05:30

custom_filter.rb

chore: Increase custom filter limit from 50 to 1000 per user (#12603 )

2025-10-06 10:41:26 -07:00

dashboard_app.rb

fix: validate url for Dashboard Apps [CW-2979] (#8736 )

2024-01-18 17:48:30 +05:30

data_import.rb

chore: Add delay before running dataimport job (#8039 )

2023-10-03 22:18:57 -07:00

email_template.rb

chore: upgrade ruby version to 3.4.4 (#11524 )

2025-05-21 19:40:07 +05:30

folder.rb

feat: Portal endpoint (#4633 )

2022-05-16 13:59:59 +05:30

inbox_assignment_policy.rb

feat: Add assignment policies controllers with jbuilder views (#12199 )

2025-08-18 19:15:21 -07:00

inbox_member.rb

feat: auditlog for team and inbox member updates (#7516 )

2023-08-15 19:55:19 -07:00

inbox.rb

feat: Add support for sending CSAT surveys via templates (Whatsapp Twilio) (#13143 )

2026-01-13 16:32:02 +04:00

installation_config.rb

Revert "chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037 )"

2026-02-03 21:09:42 -08:00

integrations.rb

Feature: Slack integration (#783 )

2020-06-12 23:12:47 +05:30

jsonb_attributes_length_validator.rb

Fix: added validation for custom and additional attribute (#4260 )

2022-03-24 15:38:28 +05:30

kbase.rb

Feature: Knowledge Base APIs (#1002 )

2020-09-26 02:32:34 +05:30

label.rb

feat: multiple UX improvements to labels (#7358 )

2023-06-25 18:49:49 +05:30

macro.rb

feat: Add webhook event support for macros (#11235 )

2025-04-02 20:26:55 -07:00

mention.rb

fix: Notification page breakages (#5236 )

2022-08-10 13:46:46 +02:00

message.rb

feat: captain decides if conversation should be resolved or kept open (#13336 )

2026-03-13 10:03:58 +05:30

note.rb

feat(ee): Add Captain features (#10665 )

2025-01-14 16:15:47 -08:00

notification_setting.rb

fix: Specify external db with non-standard port (#2711 )

2021-07-28 19:36:51 +05:30

notification_subscription.rb

fix: Change the column identifier from string to text to avoid overflow (#9073 )

2024-03-07 11:13:01 +05:30

notification.rb

fix: pass serialized data in notification.deleted event to avoid Deserialisation (#13061 )

2026-01-12 13:15:40 +05:30

platform_app_permissible.rb

fix: SuperAdmin Improvements (#3733 )

2022-01-11 19:00:00 -08:00

platform_app.rb

Chore: Replaced dependent destroy with dependent destroy_async in all models (#3249 )

2021-11-18 10:32:29 +05:30

portal.rb

feat: Add draft status for help center locales (#13768 )

2026-03-17 12:45:54 +04:00

related_category.rb

feat: CRUD operation for associated articles to current article (#4912 )

2022-07-04 20:29:44 +05:30

reporting_event.rb

feat: allow querying reporting events via the API (#12832 )

2025-11-13 12:46:55 +05:30

super_admin.rb

feat: Add company model and API with tests (#12548 )

2025-10-08 07:53:43 -07:00

team_member.rb

feat: auditlog for team and inbox member updates (#7516 )

2023-08-15 19:55:19 -07:00

team.rb

feat: invalidate cache after inbox members or team members update (#10869 )

2025-02-20 21:28:38 -08:00

user.rb

fix: patch Devise confirmable race condition vulnerability (#13843 )

2026-03-18 21:30:09 -07:00

webhook.rb

feat: add per-webhook secret with backfill migration (#13573 )

2026-02-26 17:26:12 +05:30

working_hour.rb

chore: Replace deprecated functions (#5611 )

2022-10-12 14:55:59 -07:00