bigcapital/packages/server at e18e61000de01c1cd1d6d648e1223c6cb51a7f82 - bigcapital - Gitea: Git with a cup of tea

kasperdokter/bigcapital

Files

T

History

Ahmed Bouhuolia e18e61000d fix(server): prevent cross-tenant attachment access (IDOR)

Add tenant-scoped document lookup with throwIfNotFound() before S3
operations in GetAttachment, DeleteAttachment, and
GetAttachmentPresignedUrl services. This prevents users from reading,
deleting, or generating presigned URLs for attachments belonging to
other tenants.

Also adds RequirePermission decorators to the three attachment
endpoints and introduces Attachment ability subject with View and
Delete actions.

GHSA-rc4v-wq22-v6cf

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-15 14:47:18 +02:00

..

fix:create customer/vendor

2025-06-29 16:55:02 +02:00

fix(server): prevent cross-tenant attachment access (IDOR)

2026-05-15 14:47:18 +02:00

fix: delete inventory adjustment gl entries

2025-06-15 17:51:44 +02:00

Merge pull request #1045 from bigcapitalhq/self-contained-e2e-github-action

2026-03-15 23:49:49 +02:00

.env.example

fix(server): Dockerfile

2026-01-09 23:38:52 +02:00

.eslintrc.js

feat(nestjs): migrate to NestJS

2025-04-07 11:51:24 +02:00

.gitignore

feat(nestjs): migrate to NestJS

2025-04-07 11:51:24 +02:00

.prettierrc

feat(nestjs): migrate to NestJS

2025-04-07 11:51:24 +02:00

.todo

feat(nestjs): migrate to NestJS

2025-04-07 11:51:24 +02:00

Dockerfile

chore(docker): upgrade pnpm version in Dockerfiles for server and webapp

2026-03-08 04:55:16 +02:00

nest-cli.json

fix(server): copy .js migration files

2026-02-01 16:53:21 +02:00

package.json

Merge pull request #1045 from bigcapitalhq/self-contained-e2e-github-action

2026-03-15 23:49:49 +02:00

README.md

feat(nestjs): migrate to NestJS

2025-04-07 11:51:24 +02:00

tsconfig.build.json

feat(nestjs): migrate to NestJS

2025-04-07 11:51:24 +02:00

tsconfig.json

feat(nestjs): migrate to NestJS

2025-04-07 11:51:24 +02:00

README.md

@bigcapitalhq/server