chore: Ensure privilege validations for API endpoints (#2224)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-06-11 11:44:31 +05:30
parent 5a95c74bf6
commit 534acfbf96
27 changed files with 335 additions and 119 deletions
--- a/spec/controllers/api/v1/accounts/conversations_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/conversations_controller_spec.rb
@@ -119,8 +119,27 @@ RSpec.describe 'Conversations API', type: :request do

    context 'when it is an authenticated user' do
      let(:agent) { create(:user, account: account, role: :agent) }
+      let(:administrator) { create(:user, account: account, role: :administrator) }

-      it 'shows the conversation' do
+      it 'does not shows the conversation if you do not have access to it' do
+        get "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}",
+            headers: agent.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+
+      it 'shows the conversation if you are an administrator' do
+        get "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}",
+            headers: administrator.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:success)
+        expect(JSON.parse(response.body, symbolize_names: true)[:id]).to eq(conversation.display_id)
+      end
+
+      it 'shows the conversation if you are an agent with access to inbox' do
+        create(:inbox_member, user: agent, inbox: conversation.inbox)
        get "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}",
            headers: agent.create_new_auth_token,
            as: :json
@@ -149,57 +168,71 @@ RSpec.describe 'Conversations API', type: :request do
    context 'when it is an authenticated user' do
      let(:agent) { create(:user, account: account, role: :agent) }

-      it 'creates a new conversation' do
+      it 'will not create a new conversation if agent does not have access to inbox' do
        allow(Rails.configuration.dispatcher).to receive(:dispatch)
        additional_attributes = { test: 'test' }
        post "/api/v1/accounts/#{account.id}/conversations",
             headers: agent.create_new_auth_token,
             params: { source_id: contact_inbox.source_id, additional_attributes: additional_attributes },
             as: :json
-
-        expect(response).to have_http_status(:success)
-        response_data = JSON.parse(response.body, symbolize_names: true)
-        expect(response_data[:additional_attributes]).to eq(additional_attributes)
+        expect(response).to have_http_status(:unauthorized)
      end

-      it 'creates a conversation in specificed status' do
-        allow(Rails.configuration.dispatcher).to receive(:dispatch)
-        post "/api/v1/accounts/#{account.id}/conversations",
-             headers: agent.create_new_auth_token,
-             params: { source_id: contact_inbox.source_id, status: 'bot' },
-             as: :json
+      context 'when it is an authenticated user who has access to the inbox' do
+        before do
+          create(:inbox_member, user: agent, inbox: inbox)
+        end

-        expect(response).to have_http_status(:success)
-        response_data = JSON.parse(response.body, symbolize_names: true)
-        expect(response_data[:status]).to eq('bot')
-      end
+        it 'creates a new conversation' do
+          allow(Rails.configuration.dispatcher).to receive(:dispatch)
+          additional_attributes = { test: 'test' }
+          post "/api/v1/accounts/#{account.id}/conversations",
+               headers: agent.create_new_auth_token,
+               params: { source_id: contact_inbox.source_id, additional_attributes: additional_attributes },
+               as: :json

-      it 'creates a new conversation with message when message is passed' do
-        allow(Rails.configuration.dispatcher).to receive(:dispatch)
-        post "/api/v1/accounts/#{account.id}/conversations",
-             headers: agent.create_new_auth_token,
-             params: { source_id: contact_inbox.source_id, message: { content: 'hi' } },
-             as: :json
+          expect(response).to have_http_status(:success)
+          response_data = JSON.parse(response.body, symbolize_names: true)
+          expect(response_data[:additional_attributes]).to eq(additional_attributes)
+        end

-        expect(response).to have_http_status(:success)
-        response_data = JSON.parse(response.body, symbolize_names: true)
-        expect(response_data[:additional_attributes]).to eq({})
-        expect(account.conversations.find_by(display_id: response_data[:id]).messages.first.content).to eq 'hi'
-      end
+        it 'creates a conversation in specificed status' do
+          allow(Rails.configuration.dispatcher).to receive(:dispatch)
+          post "/api/v1/accounts/#{account.id}/conversations",
+               headers: agent.create_new_auth_token,
+               params: { source_id: contact_inbox.source_id, status: 'bot' },
+               as: :json

-      it 'calls contact inbox builder if contact_id and inbox_id is present' do
-        builder = double
-        contact = create(:contact, account: account)
-        inbox = create(:inbox, account: account)
-        allow(Rails.configuration.dispatcher).to receive(:dispatch)
-        allow(ContactInboxBuilder).to receive(:new).and_return(builder)
-        allow(builder).to receive(:perform)
-        expect(builder).to receive(:perform)
+          expect(response).to have_http_status(:success)
+          response_data = JSON.parse(response.body, symbolize_names: true)
+          expect(response_data[:status]).to eq('bot')
+        end

-        post "/api/v1/accounts/#{account.id}/conversations",
-             headers: agent.create_new_auth_token,
-             params: { contact_id: contact.id, inbox_id: inbox.id },
-             as: :json
+        it 'creates a new conversation with message when message is passed' do
+          allow(Rails.configuration.dispatcher).to receive(:dispatch)
+          post "/api/v1/accounts/#{account.id}/conversations",
+               headers: agent.create_new_auth_token,
+               params: { source_id: contact_inbox.source_id, message: { content: 'hi' } },
+               as: :json
+
+          expect(response).to have_http_status(:success)
+          response_data = JSON.parse(response.body, symbolize_names: true)
+          expect(response_data[:additional_attributes]).to eq({})
+          expect(account.conversations.find_by(display_id: response_data[:id]).messages.outgoing.first.content).to eq 'hi'
+        end
+
+        it 'calls contact inbox builder if contact_id and inbox_id is present' do
+          builder = double
+          allow(Rails.configuration.dispatcher).to receive(:dispatch)
+          allow(ContactInboxBuilder).to receive(:new).and_return(builder)
+          allow(builder).to receive(:perform)
+          expect(builder).to receive(:perform)
+
+          post "/api/v1/accounts/#{account.id}/conversations",
+               headers: agent.create_new_auth_token,
+               params: { contact_id: contact.id, inbox_id: inbox.id },
+               as: :json
+        end
      end
    end
  end
@@ -218,6 +251,10 @@ RSpec.describe 'Conversations API', type: :request do
    context 'when it is an authenticated user' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, user: agent, inbox: conversation.inbox)
+      end
+
      it 'toggles the conversation status' do
        expect(conversation.status).to eq('open')

@@ -268,6 +305,10 @@ RSpec.describe 'Conversations API', type: :request do
    context 'when it is an authenticated user' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, user: agent, inbox: conversation.inbox)
+      end
+
      it 'toggles the conversation status' do
        allow(Rails.configuration.dispatcher).to receive(:dispatch)
        post "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/toggle_typing_status",
@@ -296,6 +337,10 @@ RSpec.describe 'Conversations API', type: :request do
    context 'when it is an authenticated user' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, user: agent, inbox: conversation.inbox)
+      end
+
      it 'updates last seen' do
        post "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/update_last_seen",
             headers: agent.create_new_auth_token,
@@ -321,6 +366,10 @@ RSpec.describe 'Conversations API', type: :request do
    context 'when it is an authenticated user' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, user: agent, inbox: conversation.inbox)
+      end
+
      it 'mutes conversation' do
        post "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/mute",
             headers: agent.create_new_auth_token,
@@ -347,6 +396,10 @@ RSpec.describe 'Conversations API', type: :request do
    context 'when it is an authenticated user' do
      let(:agent) { create(:user, account: account, role: :agent) }

+      before do
+        create(:inbox_member, user: agent, inbox: conversation.inbox)
+      end
+
      it 'unmutes conversation' do
        post "/api/v1/accounts/#{account.id}/conversations/#{conversation.display_id}/unmute",
             headers: agent.create_new_auth_token,
@@ -373,6 +426,10 @@ RSpec.describe 'Conversations API', type: :request do
      let(:agent) { create(:user, account: account, role: :agent) }
      let(:params) { { email: 'test@test.com' } }

+      before do
+        create(:inbox_member, user: agent, inbox: conversation.inbox)
+      end
+
      it 'mutes conversation' do
        mailer = double
        allow(ConversationReplyMailer).to receive(:with).and_return(mailer)