chore: Ensure privilege validations for API endpoints (#2224)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-06-11 11:44:31 +05:30
parent 5a95c74bf6
commit 534acfbf96
27 changed files with 335 additions and 119 deletions
--- a/spec/controllers/api/v1/accounts/conversations/labels_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/conversations/labels_controller_spec.rb
@@ -17,9 +17,13 @@ RSpec.describe 'Conversation Label API', type: :request do
      end
    end

-    context 'when it is an authenticated user' do
+    context 'when it is an authenticated user with access to the conversation' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'returns all the labels for the conversation' do
        get api_v1_account_conversation_labels_url(account_id: account.id, conversation_id: conversation.display_id),
            headers: agent.create_new_auth_token,
@@ -49,9 +53,14 @@ RSpec.describe 'Conversation Label API', type: :request do
      end
    end

-    context 'when it is an authenticated user' do
+    context 'when it is an authenticated user with access to the conversation' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        conversation.update_labels('label1, label2')
+        create(:inbox_member, inbox: conversation.inbox, user: agent)
+      end
+
      it 'creates labels for the conversation' do
        post api_v1_account_conversation_labels_url(account_id: account.id, conversation_id: conversation.display_id),
             params: { labels: %w[label3 label4] },