chore: Ensure privilege validations for API endpoints (#2224)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>

app/policies/conversation_policy.rb

@@ -0,0 +1,5 @@
+class ConversationPolicy < ApplicationPolicy
+  def index?
+    true
+  end
+end

app/policies/inbox_policy.rb

@@ -11,11 +11,7 @@ class InboxPolicy < ApplicationPolicy
     end
 
     def resolve
-      if @account_user.administrator?
-        scope.all
-      elsif @account_user.agent?
-        user.assigned_inboxes
-      end
+      user.assigned_inboxes
     end
   end
 
@@ -23,6 +19,13 @@ class InboxPolicy < ApplicationPolicy
     true
   end
 
+  def show?
+    # FIXME: for agent bots, lets bring this validation to policies as well in future
+    return true if @user.blank?
+
+    Current.user.assigned_inboxes.include? record
+  end
+
   def assignable_agents?
     true
   end