chore: Ensure privilege validations for API endpoints (#2224)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-06-11 11:44:31 +05:30
parent 5a95c74bf6
commit 534acfbf96
27 changed files with 335 additions and 119 deletions
--- a/spec/controllers/api/v2/accounts/report_controller_spec.rb
+++ b/spec/controllers/api/v2/accounts/report_controller_spec.rb
@@ -2,6 +2,8 @@ require 'rails_helper'

 RSpec.describe 'Reports API', type: :request do
  let(:account) { create(:account) }
+  let(:admin) { create(:user, account: account, role: :administrator) }
+  let(:agent) { create(:user, account: account, role: :agent) }
  let!(:user) { create(:user, account: account) }
  let!(:inbox) { create(:inbox, account: account) }
  let(:inbox_member) { create(:inbox_member, user: user, inbox: inbox) }
@@ -21,21 +23,28 @@ RSpec.describe 'Reports API', type: :request do
    end

    context 'when it is an authenticated user' do
-      let(:agent) { create(:user, account: account, role: :agent) }
-
-      it 'return timeseries metrics' do
-        params = {
-          metric: 'conversations_count',
-          type: :account,
-          since: Time.zone.today.to_time.to_i.to_s,
-          until: Time.zone.today.to_time.to_i.to_s
-        }
+      params = {
+        metric: 'conversations_count',
+        type: :account,
+        since: Time.zone.today.to_time.to_i.to_s,
+        until: Time.zone.today.to_time.to_i.to_s
+      }

+      it 'returns unauthorized for agents' do
        get "/api/v2/accounts/#{account.id}/reports/account",
            params: params,
            headers: agent.create_new_auth_token,
            as: :json

+        expect(response).to have_http_status(:unauthorized)
+      end
+
+      it 'return timeseries metrics' do
+        get "/api/v2/accounts/#{account.id}/reports/account",
+            params: params,
+            headers: admin.create_new_auth_token,
+            as: :json
+
        expect(response).to have_http_status(:success)
        json_response = JSON.parse(response.body)

@@ -56,20 +65,27 @@ RSpec.describe 'Reports API', type: :request do
    end

    context 'when it is an authenticated user' do
-      let(:agent) { create(:user, account: account, role: :agent) }
-
-      it 'returns summary metrics' do
-        params = {
-          type: :account,
-          since: Time.zone.today.to_time.to_i.to_s,
-          until: Time.zone.today.to_time.to_i.to_s
-        }
+      params = {
+        type: :account,
+        since: Time.zone.today.to_time.to_i.to_s,
+        until: Time.zone.today.to_time.to_i.to_s
+      }

+      it 'returns unauthorized for agents' do
        get "/api/v2/accounts/#{account.id}/reports/account_summary",
            params: params,
            headers: agent.create_new_auth_token,
            as: :json

+        expect(response).to have_http_status(:unauthorized)
+      end
+
+      it 'returns summary metrics' do
+        get "/api/v2/accounts/#{account.id}/reports/account_summary",
+            params: params,
+            headers: admin.create_new_auth_token,
+            as: :json
+
        expect(response).to have_http_status(:success)
        json_response = JSON.parse(response.body)

@@ -88,18 +104,24 @@ RSpec.describe 'Reports API', type: :request do
    end

    context 'when it is an authenticated user' do
-      let(:agent) { create(:user, account: account, role: :agent) }
-
      params = {
        since: 30.days.ago.to_i.to_s,
        until: Time.zone.today.to_time.to_i.to_s
      }

-      it 'returns summary' do
+      it 'returns unauthorized for agents' do
        get "/api/v2/accounts/#{account.id}/reports/agents.csv",
            params: params,
            headers: agent.create_new_auth_token

+        expect(response).to have_http_status(:unauthorized)
+      end
+
+      it 'returns summary' do
+        get "/api/v2/accounts/#{account.id}/reports/agents.csv",
+            params: params,
+            headers: admin.create_new_auth_token
+
        expect(response).to have_http_status(:success)
      end
    end
@@ -115,18 +137,24 @@ RSpec.describe 'Reports API', type: :request do
    end

    context 'when it is an authenticated user' do
-      let(:agent) { create(:user, account: account, role: :agent) }
-
      params = {
        since: 30.days.ago.to_i.to_s,
        until: Time.zone.today.to_time.to_i.to_s
      }

-      it 'returns summary' do
+      it 'returns unauthorized for agents' do
        get "/api/v2/accounts/#{account.id}/reports/inboxes",
            params: params,
            headers: agent.create_new_auth_token

+        expect(response).to have_http_status(:unauthorized)
+      end
+
+      it 'returns summary' do
+        get "/api/v2/accounts/#{account.id}/reports/inboxes",
+            params: params,
+            headers: admin.create_new_auth_token
+
        expect(response).to have_http_status(:success)
      end
    end