chore: Enforce custom role permissions on conversation access (#12583)

## Summary - ensure conversation lookup uses the permission filter before fetching records - add request specs covering custom role access to unassigned conversations ## Testing - bundle exec rspec spec/enterprise/controllers/api/v1/accounts/conversations_controller_spec.rb ------ https://chatgpt.com/codex/tasks/task_e_68de1f62b9b883268a54882e608a8bb8
2025-10-22 20:23:37 -07:00
parent eabdfc8168
commit 9898ccee9e
10 changed files with 286 additions and 7 deletions
--- a/spec/policies/conversation_policy_spec.rb
+++ b/spec/policies/conversation_policy_spec.rb
@@ -4,11 +4,12 @@ RSpec.describe ConversationPolicy, type: :policy do
  subject { described_class }

  let(:account) { create(:account) }
-  let(:conversation) { create(:conversation, account: account) }
  let(:administrator) { create(:user, account: account, role: :administrator) }
  let(:agent) { create(:user, account: account, role: :agent) }
-  let(:administrator_context) { { user: administrator, account: account, account_user: administrator.account_users.first } }
-  let(:agent_context) { { user: agent, account: account, account_user: agent.account_users.first } }
+  let(:administrator_context) { { user: administrator, account: account, account_user: administrator.account_users.find_by(account: account) } }
+  let(:agent_context) { { user: agent, account: account, account_user: agent.account_users.find_by(account: account) } }
+
+  let(:conversation) { create(:conversation, account: account) }

  permissions :destroy? do
    context 'when user is an administrator' do
@@ -31,4 +32,42 @@ RSpec.describe ConversationPolicy, type: :policy do
      end
    end
  end
+
+  permissions :show? do
+    context 'when user is an administrator' do
+      it 'allows access' do
+        expect(subject).to permit(administrator_context, conversation)
+      end
+    end
+
+    context 'when agent has inbox access' do
+      let(:inbox) { create(:inbox, account: account) }
+      let(:conversation) { create(:conversation, account: account, inbox: inbox) }
+
+      before { create(:inbox_member, user: agent, inbox: inbox) }
+
+      it 'allows access' do
+        expect(subject).to permit(agent_context, conversation)
+      end
+    end
+
+    context 'when agent has team access' do
+      let(:team) { create(:team, account: account) }
+      let(:conversation) { create(:conversation, :with_team, account: account, team: team) }
+
+      before { create(:team_member, team: team, user: agent) }
+
+      it 'allows access' do
+        expect(subject).to permit(agent_context, conversation)
+      end
+    end
+
+    context 'when agent lacks inbox and team access' do
+      let(:conversation) { create(:conversation, account: account) }
+
+      it 'denies access' do
+        expect(subject).not_to permit(agent_context, conversation)
+      end
+    end
+  end
 end