chore: Enforce custom role permissions on conversation access (#12583)

## Summary - ensure conversation lookup uses the permission filter before fetching records - add request specs covering custom role access to unassigned conversations ## Testing - bundle exec rspec spec/enterprise/controllers/api/v1/accounts/conversations_controller_spec.rb ------ https://chatgpt.com/codex/tasks/task_e_68de1f62b9b883268a54882e608a8bb8
2025-10-22 20:23:37 -07:00
parent eabdfc8168
commit 9898ccee9e
10 changed files with 286 additions and 7 deletions
--- a/app/controllers/api/v1/accounts/conversations/base_controller.rb
+++ b/app/controllers/api/v1/accounts/conversations/base_controller.rb
@@ -5,6 +5,6 @@ class Api::V1::Accounts::Conversations::BaseController < Api::V1::Accounts::Base

  def conversation
    @conversation ||= Current.account.conversations.find_by!(display_id: params[:conversation_id])
-    authorize @conversation.inbox, :show?
+    authorize @conversation, :show?
  end
 end
--- a/app/controllers/api/v1/accounts/conversations_controller.rb
+++ b/app/controllers/api/v1/accounts/conversations_controller.rb
@@ -160,7 +160,7 @@ class Api::V1::Accounts::ConversationsController < Api::V1::Accounts::BaseContro

  def conversation
    @conversation ||= Current.account.conversations.find_by!(display_id: params[:id])
-    authorize @conversation.inbox, :show?
+    authorize @conversation, :show?
  end

  def inbox
--- a/app/controllers/api/v1/accounts/integrations/dyte_controller.rb
+++ b/app/controllers/api/v1/accounts/integrations/dyte_controller.rb
@@ -22,7 +22,7 @@ class Api::V1::Accounts::Integrations::DyteController < Api::V1::Accounts::BaseC
  private

  def authorize_request
-    authorize @conversation.inbox, :show?
+    authorize @conversation, :show?
  end

  def render_response(response)
--- a/app/controllers/concerns/access_token_auth_helper.rb
+++ b/app/controllers/concerns/access_token_auth_helper.rb
@@ -14,6 +14,7 @@ module AccessTokenAuthHelper
    ensure_access_token
    render_unauthorized('Invalid Access Token') && return if @access_token.blank?

+    # NOTE: This ensures that current_user is set and available for the rest of the controller actions
    @resource = @access_token.owner
    Current.user = @resource if allowed_current_user_type?(@resource)
  end
--- a/app/policies/conversation_policy.rb
+++ b/app/policies/conversation_policy.rb
@@ -4,6 +4,44 @@ class ConversationPolicy < ApplicationPolicy
  end

  def destroy?
-    @account_user&.administrator?
+    administrator?
+  end
+
+  def show?
+    administrator? || agent_bot? || agent_can_view_conversation?
+  end
+
+  private
+
+  def agent_can_view_conversation?
+    inbox_access? || team_access?
+  end
+
+  def administrator?
+    account_user&.administrator?
+  end
+
+  def agent_bot?
+    user.is_a?(AgentBot)
+  end
+
+  def inbox_access?
+    user.inboxes.where(account_id: account&.id).exists?(id: record.inbox_id)
+  end
+
+  def team_access?
+    return false if record.team_id.blank?
+
+    user.teams.where(account_id: account&.id).exists?(id: record.team_id)
+  end
+
+  def assigned_to_user?
+    record.assignee_id == user.id
+  end
+
+  def participant?
+    record.conversation_participants.exists?(user_id: user.id)
  end
 end
+
+ConversationPolicy.prepend_mod_with('ConversationPolicy')