fix(GRO-986): add businessId scoping to portal conversation messages query
The GET /portal/conversation/messages endpoint was missing businessId scoping, allowing cross-tenant data access. This adds businessId from businessSettings to the conversation lookup in the messages endpoint, matching the existing GET /portal/conversation protection. Also adds missing lt mock to portal test suite. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -143,6 +143,7 @@ vi.mock("@groombook/db", () => {
|
|||||||
messages,
|
messages,
|
||||||
eq: vi.fn(),
|
eq: vi.fn(),
|
||||||
and: vi.fn(),
|
and: vi.fn(),
|
||||||
|
lt: vi.fn(),
|
||||||
desc: vi.fn((col: unknown) => ({ _name: "desc", col })),
|
desc: vi.fn((col: unknown) => ({ _name: "desc", col })),
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -212,11 +212,12 @@ portalRouter.get("/conversation/messages", async (c) => {
|
|||||||
|
|
||||||
const [settings] = await db.select({ id: businessSettings.id }).from(businessSettings).limit(1);
|
const [settings] = await db.select({ id: businessSettings.id }).from(businessSettings).limit(1);
|
||||||
if (!settings) return c.json({ error: "Business not configured" }, 500);
|
if (!settings) return c.json({ error: "Business not configured" }, 500);
|
||||||
|
const businessId = settings.id;
|
||||||
|
|
||||||
const [conversation] = await db
|
const [conversation] = await db
|
||||||
.select({ id: conversations.id })
|
.select({ id: conversations.id })
|
||||||
.from(conversations)
|
.from(conversations)
|
||||||
.where(eq(conversations.clientId, clientId))
|
.where(and(eq(conversations.clientId, clientId), eq(conversations.businessId, businessId)))
|
||||||
.limit(1);
|
.limit(1);
|
||||||
|
|
||||||
if (!conversation) {
|
if (!conversation) {
|
||||||
|
|||||||
Reference in New Issue
Block a user