feat(condo): update ticketComment access#7026
feat(condo): update ticketComment access#7026StalinidzeCorp wants to merge 1 commit intoopen-condo-software:mainfrom
Conversation
StalinidzeCorp
had a problem deploying
to
external
GitHub Actions
Failure
WalkthroughModified access control logic in the TicketComment service. Removed the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Suggested reviewers
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
💤 Files with no reviewable changes (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| return { | ||
| ...accessFilter, | ||
| type: ORGANIZATION_COMMENT_TYPE, | ||
| } |
There was a problem hiding this comment.
canReadTicketComments for service accounts now returns the B2B access filter without the previous type: ORGANIZATION_COMMENT_TYPE constraint, so any B2B service user with canReadTicketComments permission can list resident-channel comments for all organizations in their token. That exposes resident conversations to third‑party integrations and contradicts the still stricter file access rule in TicketCommentFile.js (service users there are limited to organization comments), suggesting resident messages were meant to stay private. Consider keeping a type filter or gating resident comments on an explicit permission.
Useful? React with 👍 / 👎.
|
toplenboren
left a comment
toplenboren
left a comment
There was a problem hiding this comment.
In this PR you are allowing service users to read resident comments.
If we were to proceed with this PR, it would mean that all service accouts would gain access to resident comments, which is a blocker for us.
Can you please elaborate, why do you need to make this change? This way we'd be able to come up with an acceptable solution :-)
2 participants
hello everyone! we are making a helpdesk system based on your application, we want to use comments to communicate with residents by email, for this we have made our own miniapp, and we check and create comments through the service account, but there is a problem with the fact that we cannot receive data along this path, so I propose changes in access
Summary by CodeRabbit
Bug Fixes
✏️ Tip: You can customize this high-level summary in your review settings.