2adc040a8f
Previously, attachments relied only on blob_id, which made it possible to attach blobs across accounts by enumerating IDs. We now require both blob_id and blob_key, add cross-account validation to prevent blob reuse, and centralize the logic in a shared BlobOwnershipValidation concern. It also fixes a frontend bug where mixed-type action params (number + string) were incorrectly dropped, causing attachment uploads to fail. |
||
|---|---|---|
| .. | ||
| accounts | ||
| widget | ||
| accounts_controller_spec.rb | ||
| notification_subscriptions_controller_spec.rb | ||
| profiles_controller_spec.rb | ||
| upload_controller_spec.rb | ||