groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-986): add businessId scoping to portal conversation messages query

Browse Source 
The GET /portal/conversation/messages endpoint was missing businessId
scoping, allowing cross-tenant data access. This adds businessId from
businessSettings to the conversation lookup in the messages endpoint,
matching the existing GET /portal/conversation protection.

Also adds missing lt mock to portal test suite.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-14 18:22:06 +00:00
committed by Flea Flicker [agent]
parent d2291e3a4a
commit 389c10fe92
2 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/__tests__/portal.test.ts
+1
View File
@@ -143,6 +143,7 @@ vi.mock("@groombook/db", () => {
messages,
eq: vi.fn(),
and: vi.fn(),
lt: vi.fn(),
desc: vi.fn((col: unknown) => ({ _name: "desc", col })),
};
});
apps/api/src/routes/portal.ts
+2 -1
View File
@@ -212,11 +212,12 @@ portalRouter.get("/conversation/messages", async (c) => {
const [settings] = await db.select({ id: businessSettings.id }).from(businessSettings).limit(1);
if (!settings) return c.json({ error: "Business not configured" }, 500);
const businessId = settings.id;
const [conversation] = await db
.select({ id: conversations.id })
.from(conversations)
.where(eq(conversations.clientId, clientId))
.where(and(eq(conversations.clientId, clientId), eq(conversations.businessId, businessId)))
.limit(1);
if (!conversation) {