chore: Ensure privilege validations for API endpoints (#2224)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-06-11 11:44:31 +05:30
parent 5a95c74bf6
commit 534acfbf96
27 changed files with 335 additions and 119 deletions
--- a/spec/controllers/api/v1/accounts/agents_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/agents_controller_spec.rb
@@ -2,6 +2,8 @@ require 'rails_helper'

 RSpec.describe 'Agents API', type: :request do
  let(:account) { create(:account) }
+  let(:admin) { create(:user, account: account, role: :administrator) }
+  let(:agent) { create(:user, account: account, role: :agent) }

  describe 'GET /api/v1/accounts/{account.id}/agents' do
    context 'when it is an unauthenticated user' do
@@ -38,7 +40,13 @@ RSpec.describe 'Agents API', type: :request do
    end

    context 'when it is an authenticated user' do
-      let(:admin) { create(:user, account: account, role: :administrator) }
+      it 'returns unauthorized for agents' do
+        delete "/api/v1/accounts/#{account.id}/agents/#{other_agent.id}",
+               headers: agent.create_new_auth_token,
+               as: :json
+
+        expect(response).to have_http_status(:unauthorized)
+      end

      it 'deletes an agent' do
        delete "/api/v1/accounts/#{account.id}/agents/#{other_agent.id}",
@@ -63,10 +71,17 @@ RSpec.describe 'Agents API', type: :request do
    end

    context 'when it is an authenticated user' do
-      let(:admin) { create(:user, account: account, role: :administrator) }
-
      params = { name: 'TestUser' }

+      it 'returns unauthorized for agents' do
+        put "/api/v1/accounts/#{account.id}/agents/#{other_agent.id}",
+            params: params,
+            headers: agent.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+
      it 'modifies an agent' do
        put "/api/v1/accounts/#{account.id}/agents/#{other_agent.id}",
            params: params,
@@ -91,10 +106,17 @@ RSpec.describe 'Agents API', type: :request do
    end

    context 'when it is an authenticated user' do
-      let(:admin) { create(:user, account: account, role: :administrator) }
-
      params = { name: 'NewUser', email: Faker::Internet.email, role: :agent }

+      it 'returns unauthorized for agents' do
+        post "/api/v1/accounts/#{account.id}/agents",
+             params: params,
+             headers: agent.create_new_auth_token,
+             as: :json
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+
      it 'creates a new agent' do
        post "/api/v1/accounts/#{account.id}/agents",
             params: params,