chore: Ensure privilege validations for API endpoints (#2224)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-06-11 11:44:31 +05:30
parent 5a95c74bf6
commit 534acfbf96
27 changed files with 335 additions and 119 deletions
--- a/spec/controllers/api/v1/accounts/conversations/assignments_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/conversations/assignments_controller_spec.rb
@@ -14,10 +14,14 @@ RSpec.describe 'Conversation Assignment API', type: :request do
      end
    end

-    context 'when it is an authenticated user' do
+    context 'when it is an authenticated user with access to the inbox' do
      let(:agent) { create(:user, account: account, role: :agent) }
      let(:team) { create(:team, account: account) }

+      before do
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'assigns a user to the conversation' do
        params = { assignee_id: agent.id }

@@ -48,6 +52,7 @@ RSpec.describe 'Conversation Assignment API', type: :request do

      before do
        conversation.update!(assignee: agent)
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
      end

      it 'unassigns the assignee from the conversation' do
@@ -69,6 +74,7 @@ RSpec.describe 'Conversation Assignment API', type: :request do

      before do
        conversation.update!(team: team)
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
      end

      it 'unassigns the team from the conversation' do
--- a/spec/controllers/api/v1/accounts/conversations/labels_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/conversations/labels_controller_spec.rb
@@ -17,9 +17,13 @@ RSpec.describe 'Conversation Label API', type: :request do
      end
    end

-    context 'when it is an authenticated user' do
+    context 'when it is an authenticated user with access to the conversation' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'returns all the labels for the conversation' do
        get api_v1_account_conversation_labels_url(account_id: account.id, conversation_id: conversation.display_id),
            headers: agent.create_new_auth_token,
@@ -49,9 +53,14 @@ RSpec.describe 'Conversation Label API', type: :request do
      end
    end

-    context 'when it is an authenticated user' do
+    context 'when it is an authenticated user with access to the conversation' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        conversation.update_labels('label1, label2')
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'creates labels for the conversation' do
        post api_v1_account_conversation_labels_url(account_id: account.id, conversation_id: conversation.display_id),
             params: { labels: %w[label3 label4] },
--- a/spec/controllers/api/v1/accounts/conversations/messages_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/conversations/messages_controller_spec.rb
@@ -15,9 +15,13 @@ RSpec.describe 'Conversation Messages API', type: :request do
      end
    end

-    context 'when it is an authenticated user' do
+    context 'when it is an authenticated user with access to conversation' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'creates a new outgoing message' do
        params = { content: 'test-message', private: true }

@@ -124,9 +128,13 @@ RSpec.describe 'Conversation Messages API', type: :request do
      end
    end

-    context 'when it is an authenticated user' do
+    context 'when it is an authenticated user with access to conversation' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'shows the conversation' do
        get "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/messages",
            headers: agent.create_new_auth_token,
@@ -149,9 +157,13 @@ RSpec.describe 'Conversation Messages API', type: :request do
      end
    end

-    context 'when it is an authenticated user' do
+    context 'when it is an authenticated user with access to conversation' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'deletes the message' do
        delete "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/messages/#{message.id}",
               headers: agent.create_new_auth_token,
@@ -166,6 +178,10 @@ RSpec.describe 'Conversation Messages API', type: :request do
    context 'when the message id is invalid' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'returns not found error' do
        delete "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/messages/99999",
               headers: agent.create_new_auth_token,