psa-systems/mokosh-server
8
0
Fork 1
Code Issues Pull requests 2 Projects Releases Packages Wiki Activity Actions

fix(tickets): scope writes to tenant and validate FK references #209

Merged
David merged 3 commits from fix/pms-193-scope-tickets-writes-validate-fk into main 2026-06-13 23:42:03 +02:00
Conversation 0 Commits 3 Files changed 1 +21 -2
David commented 2026-06-13 17:50:48 +02:00
Owner
Copy link

add_note UPDATEd tickets filtered only by id, so a cross-tenant ticket_id corrupted another tenant's updated_at/first_response_at/SLA columns; both UPDATEs are now scoped by tenant_id and the ticket is FK-validated before the note INSERT.

create_ticket now FK-validates type_id/category_id, update_ticket now FK-validates priority_id/queue_id, and assign_ticket now validates assigned_to_id belongs to the tenant, so a request body cannot link a ticket to another tenant's row.

#PMS-193

add_note UPDATEd tickets filtered only by id, so a cross-tenant ticket_id corrupted another tenant's updated_at/first_response_at/SLA columns; both UPDATEs are now scoped by tenant_id and the ticket is FK-validated before the note INSERT. create_ticket now FK-validates type_id/category_id, update_ticket now FK-validates priority_id/queue_id, and assign_ticket now validates assigned_to_id belongs to the tenant, so a request body cannot link a ticket to another tenant's row. #PMS-193
fix(tickets): scope writes to tenant and validate FK references
Some checks failed
E2E / Playwright against staging (pull_request) Failing after 16s
Details
Check / fmt + clippy + compile + tests (pull_request) Failing after 2m35s
Details
0433815bd4 
add_note UPDATEd tickets filtered only by id, so a cross-tenant ticket_id corrupted another tenant's updated_at/first_response_at/SLA columns; both UPDATEs are now scoped by tenant_id and the ticket is FK-validated before the note INSERT.

create_ticket now FK-validates type_id/category_id, update_ticket now FK-validates priority_id/queue_id, and assign_ticket now validates assigned_to_id belongs to the tenant, so a request body cannot link a ticket to another tenant's row.

#PMS-193
Merge origin/main into fix/pms-193-scope-tickets-writes-validate-fk
Some checks failed
E2E / Playwright against staging (pull_request) Failing after 18s
Details
Check / fmt + clippy + compile + tests (pull_request) Successful in 4m49s
Details
bde8f81f73 
#PMS-193
ci: re-trigger Check (transient failure; green locally)
Some checks failed
Create release / Create release from merged PR (pull_request) Has been skipped
Details
E2E / Playwright against staging (pull_request) Failing after 24s
Details
Check / fmt + clippy + compile + tests (pull_request) Successful in 4m23s
Details
3154fbaf3c 
#PMS-193
David merged commit 85fd769008 into main 2026-06-13 23:42:03 +02:00
David deleted branch fix/pms-193-scope-tickets-writes-validate-fk 2026-06-13 23:42:03 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
psa-systems/mokosh-server!209
No description provided.