chore: Ensure privilege validations for API endpoints (#2224)
Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
This commit is contained in:
Sojan Jose
@@ -201,18 +201,29 @@ RSpec.describe 'Contacts API', type: :request do
|
||||
end
|
||||
|
||||
context 'when it is an authenticated user' do
|
||||
let(:admin) { create(:user, account: account, role: :administrator) }
|
||||
let(:agent) { create(:user, account: account, role: :agent) }
|
||||
let!(:twilio_sms) { create(:channel_twilio_sms, account: account) }
|
||||
let!(:twilio_sms_inbox) { create(:inbox, channel: twilio_sms, account: account) }
|
||||
let!(:twilio_whatsapp) { create(:channel_twilio_sms, medium: :whatsapp, account: account) }
|
||||
let!(:twilio_whatsapp_inbox) { create(:inbox, channel: twilio_whatsapp, account: account) }
|
||||
|
||||
it 'shows the contactable inboxes which the user has access to' do
|
||||
create(:inbox_member, user: agent, inbox: twilio_whatsapp_inbox)
|
||||
|
||||
it 'shows the contact' do
|
||||
inbox_service = double
|
||||
allow(Contacts::ContactableInboxesService).to receive(:new).and_return(inbox_service)
|
||||
allow(inbox_service).to receive(:get).and_return({})
|
||||
expect(inbox_service).to receive(:get).and_return({})
|
||||
allow(inbox_service).to receive(:get).and_return([
|
||||
{ source_id: '1123', inbox: twilio_sms_inbox },
|
||||
{ source_id: '1123', inbox: twilio_whatsapp_inbox }
|
||||
])
|
||||
expect(inbox_service).to receive(:get)
|
||||
get "/api/v1/accounts/#{account.id}/contacts/#{contact.id}/contactable_inboxes",
|
||||
headers: admin.create_new_auth_token,
|
||||
headers: agent.create_new_auth_token,
|
||||
as: :json
|
||||
|
||||
expect(response).to have_http_status(:success)
|
||||
# only the inboxes which agent has access to are shown
|
||||
expect(JSON.parse(response.body)['payload'].pluck('inbox').pluck('id')).to eq([twilio_whatsapp_inbox.id])
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user