rodrigo/iachat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
c884cdefde
iachat/app/models
History
Vishnu Narayanan c884cdefde
feat: add per-account daily rate limit for outbound emails (#13411) 
Introduce a daily cap on non-channel outbound emails to prevent abuse.

Fixes https://linear.app/chatwoot/issue/CW-6418/ses-incident-jan-28

## Type of change

- [x] New feature (non-breaking change which adds functionality)
- [x] Breaking change (fix or feature that would cause existing
functionality not to work as expected)

## Summary
- Adds a Redis-based daily counter to rate limit outbound emails per
account, preventing email abuse
- Covers continuity emails (WebWidget/API), conversation transcripts,
and agent notifications
  - Email channel replies are excluded (paid feature, not abusable)
- Adds account suspension check in `ConversationReplyMailer` to block
already-queued emails for suspended accounts

  ## Limit Resolution Hierarchy
1. Per-account override (`account.limits['emails']`) — SuperAdmin
configurable
2. Enterprise plan-based (`ACCOUNT_EMAILS_PLAN_LIMITS`
InstallationConfig)
3. Global default (`ACCOUNT_EMAILS_LIMIT` InstallationConfig, default:
100)
  4. Fallback (`ChatwootApp.max_limit` — effectively unlimited)

  ## Enforcement Points
  | Path | Where | Behavior |
  |------|-------|----------|
| WebWidget/API continuity |
`SendEmailNotificationService#should_send_email_notification?` |
Silently skipped |
| Widget transcript | `Widget::ConversationsController#transcript` |
Returns 429 |
| API transcript | `ConversationsController#transcript` | Returns 429 |
| Agent notifications | `Notification::EmailNotificationService#perform`
| Silently skipped |
  | Email channel replies | Not rate limited | Paid feature |
| Suspended accounts | `ConversationReplyMailer` | Blocked at mailer
level |
2026-02-03 02:06:51 +05:30
..
channel fix: Setup webhooks for manual WhatsApp Cloud channel creation (#13278) 2026-01-19 14:12:36 +04:00
concerns feat: add per-account daily rate limit for outbound emails (#13411) 2026-02-03 02:06:51 +05:30
integrations feat: new Captain Editor (#13235) 2026-01-21 13:39:07 +05:30
access_token.rb Feature: Access tokens for API access (#604) 2020-03-11 00:02:15 +05:30
account_user.rb feat: Add migration files for assignment v2 (#12147) 2025-08-11 21:44:38 -07:00
account.rb feat: add per-account daily rate limit for outbound emails (#13411) 2026-02-03 02:06:51 +05:30
agent_bot_inbox.rb Feature: Access tokens for API access (#604) 2020-03-11 00:02:15 +05:30
agent_bot.rb feat: APIs to assign agents_bots as assignee in conversations (#12836) 2025-11-18 18:20:58 -08:00
application_record.rb chore: fix sla email notifications (#9192) 2024-04-04 21:16:49 +05:30
article.rb feat: improve article search ranking (#11640) 2025-06-03 12:01:17 +05:30
assignment_policy.rb chore(annotations): sync model annotations with current schema (#12245) 2025-08-20 20:23:42 +02:00
attachment.rb feat: TikTok channel (#12741) 2025-12-17 07:54:50 -08:00
automation_rule.rb feat: add mark pending action to automation (#13378) 2026-02-02 11:59:51 +05:30
campaign.rb feat: WhatsApp campaigns (#11910) 2025-07-16 09:04:02 +05:30
canned_response.rb chore: Apply fixes for items in rubocop_todo [CW-1806] (#8864) 2024-02-07 13:36:04 +04:00
category.rb chore: Increase Category index per-page limit to 1000 (#12282) 2025-08-22 12:41:38 -07:00
contact_inbox.rb fix: Change contact_inboxes.source_id to text column (#12882) 2025-11-17 16:09:36 +05:30
contact.rb fix: prevent deserialization error on deletion (#13264) 2026-01-14 18:00:12 +05:30
conversation_participant.rb chore: Add controllers for conversation participants (#6462) 2023-02-15 16:33:31 -08:00
conversation.rb perf(conversations): throttle agent_last_seen_at updates to reduce DB load (#13355) 2026-01-23 22:23:41 -08:00
csat_survey_response.rb feat(ee): Review Notes for CSAT Reports (#13289) 2026-01-15 19:53:57 -08:00
custom_attribute_definition.rb feat: Conversation workflows(EE) (#13040) 2026-01-27 11:36:20 +04:00
custom_filter.rb chore: Increase custom filter limit from 50 to 1000 per user (#12603) 2025-10-06 10:41:26 -07:00
dashboard_app.rb fix: validate url for Dashboard Apps [CW-2979] (#8736) 2024-01-18 17:48:30 +05:30
data_import.rb chore: Add delay before running dataimport job (#8039) 2023-10-03 22:18:57 -07:00
email_template.rb chore: upgrade ruby version to 3.4.4 (#11524) 2025-05-21 19:40:07 +05:30
folder.rb feat: Portal endpoint (#4633) 2022-05-16 13:59:59 +05:30
inbox_assignment_policy.rb feat: Add assignment policies controllers with jbuilder views (#12199) 2025-08-18 19:15:21 -07:00
inbox_member.rb feat: auditlog for team and inbox member updates (#7516) 2023-08-15 19:55:19 -07:00
inbox.rb feat: Add support for sending CSAT surveys via templates (Whatsapp Twilio) (#13143) 2026-01-13 16:32:02 +04:00
installation_config.rb feat: Control the allowed login methods via Super Admin (#12892) 2025-11-17 21:55:12 -08:00
integrations.rb Feature: Slack integration (#783) 2020-06-12 23:12:47 +05:30
jsonb_attributes_length_validator.rb Fix: added validation for custom and additional attribute (#4260) 2022-03-24 15:38:28 +05:30
kbase.rb Feature: Knowledge Base APIs (#1002) 2020-09-26 02:32:34 +05:30
label.rb feat: multiple UX improvements to labels (#7358) 2023-06-25 18:49:49 +05:30
macro.rb feat: Add webhook event support for macros (#11235) 2025-04-02 20:26:55 -07:00
mention.rb fix: Notification page breakages (#5236) 2022-08-10 13:46:46 +02:00
message.rb feat: Handle external echo messages from native apps (#13371) 2026-02-02 15:52:53 +05:30
note.rb feat(ee): Add Captain features (#10665) 2025-01-14 16:15:47 -08:00
notification_setting.rb fix: Specify external db with non-standard port (#2711) 2021-07-28 19:36:51 +05:30
notification_subscription.rb fix: Change the column identifier from string to text to avoid overflow (#9073) 2024-03-07 11:13:01 +05:30
notification.rb fix: pass serialized data in notification.deleted event to avoid Deserialisation (#13061) 2026-01-12 13:15:40 +05:30
platform_app_permissible.rb fix: SuperAdmin Improvements (#3733) 2022-01-11 19:00:00 -08:00
platform_app.rb Chore: Replaced dependent destroy with dependent destroy_async in all models (#3249) 2021-11-18 10:32:29 +05:30
portal.rb fix: Use SignedId instead of regular ID in portal update (#13197) 2026-01-07 19:36:29 -08:00
related_category.rb feat: CRUD operation for associated articles to current article (#4912) 2022-07-04 20:29:44 +05:30
reporting_event.rb feat: allow querying reporting events via the API (#12832) 2025-11-13 12:46:55 +05:30
super_admin.rb feat: Add company model and API with tests (#12548) 2025-10-08 07:53:43 -07:00
team_member.rb feat: auditlog for team and inbox member updates (#7516) 2023-08-15 19:55:19 -07:00
team.rb feat: invalidate cache after inbox members or team members update (#10869) 2025-02-20 21:28:38 -08:00
user.rb feat(ee): Review Notes for CSAT Reports (#13289) 2026-01-15 19:53:57 -08:00
webhook.rb fix: the webhook url to be text (#13157) 2026-01-06 15:23:54 +05:30
working_hour.rb chore: Replace deprecated functions (#5611) 2022-10-12 14:55:59 -07:00