chore: Ensure privilege validations for API endpoints (#2224)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>

spec/controllers/api/v1/accounts/contacts/contact_inboxes_controller_spec.rb

@@ -5,7 +5,7 @@ RSpec.describe '/api/v1/accounts/{account.id}/contacts/:id/contact_inboxes', typ
   let(:contact) { create(:contact, account: account) }
   let(:channel_twilio_sms) { create(:channel_twilio_sms, account: account) }
   let(:channel_api) { create(:channel_api, account: account) }
-  let(:user) { create(:user, account: account) }
+  let(:agent) { create(:user, account: account) }
 
   describe 'GET /api/v1/accounts/{account.id}/contacts/:id/contact_inboxes' do
     context 'when unauthenticated user' do
@@ -15,12 +15,13 @@ RSpec.describe '/api/v1/accounts/{account.id}/contacts/:id/contact_inboxes', typ
       end
     end
 
-    context 'when user is logged in' do
+    context 'when authenticated user with access to inbox' do
       it 'creates a contact inbox' do
+        create(:inbox_member, inbox: channel_api.inbox, user: agent)
         expect do
           post "/api/v1/accounts/#{account.id}/contacts/#{contact.id}/contact_inboxes",
                params: { inbox_id: channel_api.inbox.id },
-               headers: user.create_new_auth_token,
+               headers: agent.create_new_auth_token,
                as: :json
         end.to change(ContactInbox, :count).by(1)
 
@@ -29,10 +30,11 @@ RSpec.describe '/api/v1/accounts/{account.id}/contacts/:id/contact_inboxes', typ
       end
 
       it 'throws error for invalid source id' do
+        create(:inbox_member, inbox: channel_twilio_sms.inbox, user: agent)
         expect do
           post "/api/v1/accounts/#{account.id}/contacts/#{contact.id}/contact_inboxes",
                params: { inbox_id: channel_twilio_sms.inbox.id },
-               headers: user.create_new_auth_token,
+               headers: agent.create_new_auth_token,
                as: :json
         end.to change(ContactInbox, :count).by(0)