chore: Enforce custom role permissions on conversation access (#12583)

## Summary - ensure conversation lookup uses the permission filter before fetching records - add request specs covering custom role access to unassigned conversations ## Testing - bundle exec rspec spec/enterprise/controllers/api/v1/accounts/conversations_controller_spec.rb ------ https://chatgpt.com/codex/tasks/task_e_68de1f62b9b883268a54882e608a8bb8
2025-10-22 20:23:37 -07:00
parent eabdfc8168
commit 9898ccee9e
10 changed files with 286 additions and 7 deletions
--- a/enterprise/app/policies/enterprise/conversation_policy.rb
+++ b/enterprise/app/policies/enterprise/conversation_policy.rb
@@ -0,0 +1,42 @@
+module Enterprise::ConversationPolicy
+  def show?
+    return false unless super
+    return true unless custom_role_permissions?
+
+    permissions = custom_role_permissions
+    return true if manage_all_conversations?(permissions)
+    return true if permits_unassigned_manage?(permissions)
+
+    permits_participating?(permissions)
+  end
+
+  private
+
+  def manage_all_conversations?(permissions)
+    permissions.include?('conversation_manage')
+  end
+
+  def permits_unassigned_manage?(permissions)
+    return false unless permissions.include?('conversation_unassigned_manage')
+
+    unassigned_conversation? || assigned_to_user?
+  end
+
+  def permits_participating?(permissions)
+    return false unless permissions.include?('conversation_participating_manage')
+
+    assigned_to_user? || participant?
+  end
+
+  def unassigned_conversation?
+    record.assignee_id.nil?
+  end
+
+  def custom_role_permissions?
+    account_user&.custom_role_id.present?
+  end
+
+  def custom_role_permissions
+    account_user&.custom_role&.permissions || []
+  end
+end