Genesys Cloud - Developer Announcements!

 View Only

Sign Up

Back to discussions
Expand all | Collapse all

Fix for Transfer API: Adding Validation for queueName and userDisplayName Parameters

  • 1.  Fix for Transfer API: Adding Validation for queueName and userDisplayName Parameters

    Posted 05-23-2025 11:07

    Summary

    This change introduces validation for the queueName parameter in the /api/v2/conversations/{conversationId}/participants/{participantId}/replace/queue API and the userDisplayName parameter in the /api/v2/conversations/{conversationId}/participants/{participantId}/replace/agent API. Currently, these parameters lack validation, which this update addresses.

    The /api/v2/conversations/{conversationId}/participants/{participantId}/replace/agent API (permission-protected) allows transfers to a user using one of the following inputs:

    • userId
    • username (user's email, already validated)
    • userDisplayName (user's name) - Validation added by this change.

    The /api/v2/conversations/{conversationId}/participants/{participantId}/replace/agent API (permission-protected) allows transfers to a queue using one of the following inputs:

    • queueId
    • queueName - Validation added by this change.

    Effective Date

    Monday, September 1, 2025

    Issue References

    [CS-4195]

    Details

    This update mitigates two potential risks related to permission bypass:

    • A caller with permission to transfer to a queue could potentially use queueName to attempt a transfer to a user without the necessary user transfer permissions.
    • A caller with permission to transfer to a user could potentially use userDisplayName to attempt a transfer to a queue without queue transfer permissions.

    Impacted Resources

    POST /api/v2/conversations/{conversationId}/participants/{participantId}/replace/agent

    POST /api/v2/conversations/{conversationId}/participants/{participantId}/replace/queue

    Customer Impact

    This fix enhances the security and integrity of the transfer API by preventing potential misuse related to permission boundaries.

    • Example 1:

    Current behavior: When a customer uses a queueName with the endpoint [POST /api/v2/conversations/{conversationId}/participants/{participantId}/replace/queue] to transfer to a user, the API responds with a 202 Accepted.

    After the fix: This transfer will be blocked with a 404 Not Found error, since queueName is not a valid user.

    • Example 2:

    Current behavior: When a customer uses a userDisplayName with the endpoint [POST /api/v2/conversations/{conversationId}/participants/{participantId}/replace/agent] to transfer to a queue, the API responds with a 202 Accepted.

    After the fix: This transfer will be blocked with a 404 Not Found error, since userDisplayName is not a valid queue.

    Contacts

    @Sabyasachi Pradhan


Related Content