chatwoot/app
Tanmay Deep Sharma f4538ae2c5
fix: Enforce team boundaries to prevent cross-team assignments (#13353)
## Description

Fixes a critical bug where conversations assigned to a team could be
auto-assigned to agents outside that team when all team members were at
capacity.

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)

## Checklist:

- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my code
- [ ] I have commented on my code, particularly in hard-to-understand
areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published in downstream
modules

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes core assignment selection for both legacy and v2 flows;
misconfiguration of `allow_auto_assign` or team membership could cause
conversations to remain unassigned.
> 
> **Overview**
> Prevents auto-assignment from crossing team boundaries by filtering
eligible agents to the conversation’s `team` members (and requiring
`team.allow_auto_assign`) in both the legacy `AutoAssignmentHandler`
path and the v2 `AutoAssignment::AssignmentService` (including the
Enterprise override).
> 
> Adds test coverage to ensure team-scoped conversations only assign to
team members, and are skipped when team auto-assign is disabled or no
team members are available; also updates the conversations controller
spec setup to include team membership.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
67ed2bda0c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-16 14:39:20 +05:30
..
actions
assets
builders feat: Add standalone outgoing messages count API endpoint (#13419) 2026-02-04 19:36:50 +05:30
channels
controllers fix: Prevent user enumeration on password reset endpoint (#13528) 2026-02-13 13:45:40 +05:30
dashboards
dispatchers
drops
fields
finders
helpers feat: new Captain Editor (#13235) 2026-01-21 13:39:07 +05:30
javascript fix: apply installation branding replacement in tooltip copy (#13538) 2026-02-13 16:47:25 -08:00
jobs fix: handle 404 errors gracefully in avatar download job (#13491) 2026-02-09 13:27:23 +05:30
listeners fix: prevent deserialization error on deletion (#13264) 2026-01-14 18:00:12 +05:30
mailboxes
mailers feat: add per-account daily rate limit for outbound emails (#13411) 2026-02-03 02:06:51 +05:30
models fix: Enforce team boundaries to prevent cross-team assignments (#13353) 2026-02-16 14:39:20 +05:30
policies feat: new Captain Editor (#13235) 2026-01-21 13:39:07 +05:30
presenters fix(mailbox): handle malformed sender address headers (#13486) 2026-02-11 11:02:38 -08:00
services fix: Enforce team boundaries to prevent cross-team assignments (#13353) 2026-02-16 14:39:20 +05:30
views feat: Add infinite scroll to contacts search page (#13376) 2026-01-27 18:55:19 -08:00