chore(refactor): Improve conversation permission filtering (#11166)
1. Add permission filter service to separate permission filtering logic from conversation queries 2. Implement hierarchical permissions with cleaner logic: - conversation_manage gives access to all conversations - conversation_unassigned_manage gives access to unassigned and user's conversations - conversation_participating_manage gives access only to user's conversations --------- Co-authored-by: Pranav <pranav@chatwoot.com>
This commit is contained in:
Sojan Jose
@@ -0,0 +1,38 @@
|
||||
module Enterprise::Conversations::PermissionFilterService
|
||||
def perform
|
||||
account_user = AccountUser.find_by(account_id: account.id, user_id: user.id)
|
||||
permissions = account_user&.permissions || []
|
||||
user_role = account_user&.role
|
||||
|
||||
# Skip filtering for administrators
|
||||
return conversations if user_role == 'administrator'
|
||||
# Skip filtering for regular agents (without custom roles/permissions)
|
||||
return conversations if user_role == 'agent' && account_user&.custom_role_id.nil?
|
||||
|
||||
filter_by_permissions(permissions)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def filter_by_permissions(permissions)
|
||||
# Permission-based filtering with hierarchy
|
||||
# conversation_manage > conversation_unassigned_manage > conversation_participating_manage
|
||||
if permissions.include?('conversation_manage')
|
||||
conversations
|
||||
elsif permissions.include?('conversation_unassigned_manage')
|
||||
filter_unassigned_and_mine
|
||||
elsif permissions.include?('conversation_participating_manage')
|
||||
conversations.assigned_to(user)
|
||||
else
|
||||
Conversation.none
|
||||
end
|
||||
end
|
||||
|
||||
def filter_unassigned_and_mine
|
||||
mine = conversations.assigned_to(user)
|
||||
unassigned = conversations.unassigned
|
||||
|
||||
Conversation.from("(#{mine.to_sql} UNION #{unassigned.to_sql}) as conversations")
|
||||
.where(account_id: account.id)
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,123 @@
|
||||
require 'rails_helper'
|
||||
|
||||
RSpec.describe '/api/v1/accounts/{account.id}/contacts/:id/conversations enterprise', type: :request do
|
||||
let(:account) { create(:account) }
|
||||
let(:contact) { create(:contact, account: account) }
|
||||
let(:inbox) { create(:inbox, account: account) }
|
||||
let(:contact_inbox) { create(:contact_inbox, contact: contact, inbox: inbox) }
|
||||
|
||||
describe 'GET /api/v1/accounts/{account.id}/contacts/:id/conversations with custom role permissions' do
|
||||
context 'with user having custom role' do
|
||||
let(:agent_with_custom_role) { create(:user, account: account, role: :agent) }
|
||||
let(:custom_role) { create(:custom_role, account: account) }
|
||||
|
||||
before do
|
||||
create(:inbox_member, user: agent_with_custom_role, inbox: inbox)
|
||||
end
|
||||
|
||||
context 'with conversation_participating_manage permission' do
|
||||
let(:assigned_conversation) do
|
||||
create(:conversation, account: account, inbox: inbox, contact: contact,
|
||||
contact_inbox: contact_inbox, assignee: agent_with_custom_role)
|
||||
end
|
||||
|
||||
before do
|
||||
# Create a conversation assigned to this agent
|
||||
assigned_conversation
|
||||
|
||||
# Create another conversation that shouldn't be visible
|
||||
create(:conversation, account: account, inbox: inbox, contact: contact,
|
||||
contact_inbox: contact_inbox, assignee: create(:user, account: account, role: :agent))
|
||||
|
||||
# Set up permissions
|
||||
custom_role.update!(permissions: %w[conversation_participating_manage])
|
||||
|
||||
# Associate the custom role with the agent
|
||||
account_user = AccountUser.find_by(user: agent_with_custom_role, account: account)
|
||||
account_user.update!(role: :agent, custom_role: custom_role)
|
||||
end
|
||||
|
||||
it 'returns only conversations assigned to the agent' do
|
||||
get "/api/v1/accounts/#{account.id}/contacts/#{contact.id}/conversations",
|
||||
headers: agent_with_custom_role.create_new_auth_token
|
||||
|
||||
expect(response).to have_http_status(:success)
|
||||
json_response = response.parsed_body
|
||||
|
||||
# Should only return the conversation assigned to this agent
|
||||
expect(json_response['payload'].length).to eq 1
|
||||
expect(json_response['payload'][0]['id']).to eq assigned_conversation.display_id
|
||||
end
|
||||
end
|
||||
|
||||
context 'with conversation_unassigned_manage permission' do
|
||||
let(:unassigned_conversation) do
|
||||
create(:conversation, account: account, inbox: inbox, contact: contact,
|
||||
contact_inbox: contact_inbox, assignee: nil)
|
||||
end
|
||||
|
||||
let(:assigned_conversation) do
|
||||
create(:conversation, account: account, inbox: inbox, contact: contact,
|
||||
contact_inbox: contact_inbox, assignee: agent_with_custom_role)
|
||||
end
|
||||
|
||||
before do
|
||||
# Create the conversations
|
||||
unassigned_conversation
|
||||
assigned_conversation
|
||||
create(:conversation, account: account, inbox: inbox, contact: contact,
|
||||
contact_inbox: contact_inbox, assignee: create(:user, account: account, role: :agent))
|
||||
|
||||
# Set up permissions
|
||||
custom_role.update!(permissions: %w[conversation_unassigned_manage])
|
||||
|
||||
# Associate the custom role with the agent
|
||||
account_user = AccountUser.find_by(user: agent_with_custom_role, account: account)
|
||||
account_user.update!(role: :agent, custom_role: custom_role)
|
||||
end
|
||||
|
||||
it 'returns unassigned conversations AND conversations assigned to the agent' do
|
||||
get "/api/v1/accounts/#{account.id}/contacts/#{contact.id}/conversations",
|
||||
headers: agent_with_custom_role.create_new_auth_token
|
||||
|
||||
expect(response).to have_http_status(:success)
|
||||
json_response = response.parsed_body
|
||||
|
||||
# Should return both unassigned and assigned to this agent conversations
|
||||
expect(json_response['payload'].length).to eq 2
|
||||
conversation_ids = json_response['payload'].pluck('id')
|
||||
expect(conversation_ids).to include(unassigned_conversation.display_id)
|
||||
expect(conversation_ids).to include(assigned_conversation.display_id)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with conversation_manage permission' do
|
||||
before do
|
||||
# Create multiple conversations
|
||||
3.times do
|
||||
create(:conversation, account: account, inbox: inbox, contact: contact,
|
||||
contact_inbox: contact_inbox)
|
||||
end
|
||||
|
||||
# Set up permissions
|
||||
custom_role.update!(permissions: %w[conversation_manage])
|
||||
|
||||
# Associate the custom role with the agent
|
||||
account_user = AccountUser.find_by(user: agent_with_custom_role, account: account)
|
||||
account_user.update!(role: :agent, custom_role: custom_role)
|
||||
end
|
||||
|
||||
it 'returns all conversations' do
|
||||
get "/api/v1/accounts/#{account.id}/contacts/#{contact.id}/conversations",
|
||||
headers: agent_with_custom_role.create_new_auth_token
|
||||
|
||||
expect(response).to have_http_status(:success)
|
||||
json_response = response.parsed_body
|
||||
|
||||
# Should return all conversations in this inbox
|
||||
expect(json_response['payload'].length).to eq 3
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,197 @@
|
||||
require 'rails_helper'
|
||||
|
||||
RSpec.describe Enterprise::Conversations::PermissionFilterService do
|
||||
let(:account) { create(:account) }
|
||||
# Create conversations with different states
|
||||
let!(:assigned_conversation) { create(:conversation, account: account, inbox: inbox, assignee: agent) }
|
||||
let!(:unassigned_conversation) { create(:conversation, account: account, inbox: inbox, assignee: nil) }
|
||||
let!(:another_assigned_conversation) { create(:conversation, account: account, inbox: inbox, assignee: create(:user, account: account)) }
|
||||
let(:admin) { create(:user, account: account, role: :administrator) }
|
||||
let(:agent) { create(:user, account: account, role: :agent) }
|
||||
let!(:inbox) { create(:inbox, account: account) }
|
||||
|
||||
# This inbox_member is used to establish the agent's access to the inbox
|
||||
before { create(:inbox_member, user: agent, inbox: inbox) }
|
||||
|
||||
describe '#perform' do
|
||||
context 'when user is an administrator' do
|
||||
it 'returns all conversations' do
|
||||
result = Conversations::PermissionFilterService.new(
|
||||
account.conversations,
|
||||
admin,
|
||||
account
|
||||
).perform
|
||||
|
||||
expect(result).to include(assigned_conversation)
|
||||
expect(result).to include(unassigned_conversation)
|
||||
expect(result).to include(another_assigned_conversation)
|
||||
expect(result.count).to eq(3)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user is a regular agent' do
|
||||
it 'returns all conversations in assigned inboxes' do
|
||||
inbox_ids = agent.inboxes.where(account_id: account.id).pluck(:id)
|
||||
|
||||
result = Conversations::PermissionFilterService.new(
|
||||
account.conversations.where(inbox_id: inbox_ids),
|
||||
agent,
|
||||
account
|
||||
).perform
|
||||
|
||||
expect(result).to include(assigned_conversation)
|
||||
expect(result).to include(unassigned_conversation)
|
||||
expect(result).to include(another_assigned_conversation)
|
||||
expect(result.count).to eq(3)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user has conversation_manage permission' do
|
||||
# Test with a new clean state for each test case
|
||||
it 'returns all conversations' do
|
||||
# Create a new isolated test environment
|
||||
test_account = create(:account)
|
||||
test_inbox = create(:inbox, account: test_account)
|
||||
|
||||
# Create test agent
|
||||
test_agent = create(:user, account: test_account, role: :agent)
|
||||
create(:inbox_member, user: test_agent, inbox: test_inbox)
|
||||
|
||||
# Create custom role with conversation_manage permission
|
||||
test_custom_role = create(:custom_role, account: test_account, permissions: ['conversation_manage'])
|
||||
account_user = AccountUser.find_by(user: test_agent, account: test_account)
|
||||
account_user.update(role: :agent, custom_role: test_custom_role)
|
||||
|
||||
# Create some conversations
|
||||
assigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: test_agent)
|
||||
unassigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: nil)
|
||||
other_assigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: create(:user, account: test_account))
|
||||
|
||||
# Run the test
|
||||
result = Conversations::PermissionFilterService.new(
|
||||
test_account.conversations,
|
||||
test_agent,
|
||||
test_account
|
||||
).perform
|
||||
|
||||
# Should have access to all conversations
|
||||
expect(result.count).to eq(3)
|
||||
expect(result).to include(assigned_conversation)
|
||||
expect(result).to include(unassigned_conversation)
|
||||
expect(result).to include(other_assigned_conversation)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user has conversation_participating_manage permission' do
|
||||
it 'returns only conversations assigned to the agent' do
|
||||
# Create a new isolated test environment
|
||||
test_account = create(:account)
|
||||
test_inbox = create(:inbox, account: test_account)
|
||||
|
||||
# Create test agent
|
||||
test_agent = create(:user, account: test_account, role: :agent)
|
||||
create(:inbox_member, user: test_agent, inbox: test_inbox)
|
||||
|
||||
# Create a custom role with only the conversation_participating_manage permission
|
||||
test_custom_role = create(:custom_role, account: test_account, permissions: %w[conversation_participating_manage])
|
||||
|
||||
account_user = AccountUser.find_by(user: test_agent, account: test_account)
|
||||
account_user.update(role: :agent, custom_role: test_custom_role)
|
||||
|
||||
# Create some conversations
|
||||
other_conversation = create(:conversation, account: test_account, inbox: test_inbox)
|
||||
assigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: test_agent)
|
||||
|
||||
# Run the test
|
||||
result = Conversations::PermissionFilterService.new(
|
||||
test_account.conversations,
|
||||
test_agent,
|
||||
test_account
|
||||
).perform
|
||||
|
||||
# Should only see conversations assigned to this agent
|
||||
expect(result.count).to eq(1)
|
||||
expect(result.first.assignee).to eq(test_agent)
|
||||
expect(result).to include(assigned_conversation)
|
||||
expect(result).not_to include(other_conversation)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user has conversation_unassigned_manage permission' do
|
||||
it 'returns unassigned conversations AND mine' do
|
||||
# Create a new isolated test environment
|
||||
test_account = create(:account)
|
||||
test_inbox = create(:inbox, account: test_account)
|
||||
|
||||
# Create test agent
|
||||
test_agent = create(:user, account: test_account, role: :agent)
|
||||
create(:inbox_member, user: test_agent, inbox: test_inbox)
|
||||
|
||||
# Create a custom role with only the conversation_unassigned_manage permission
|
||||
test_custom_role = create(:custom_role, account: test_account, permissions: %w[conversation_unassigned_manage])
|
||||
|
||||
account_user = AccountUser.find_by(user: test_agent, account: test_account)
|
||||
account_user.update(role: :agent, custom_role: test_custom_role)
|
||||
|
||||
# Create some conversations
|
||||
assigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: test_agent)
|
||||
unassigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: nil)
|
||||
other_assigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: create(:user, account: test_account))
|
||||
|
||||
# Run the test
|
||||
result = Conversations::PermissionFilterService.new(
|
||||
test_account.conversations,
|
||||
test_agent,
|
||||
test_account
|
||||
).perform
|
||||
|
||||
# Should see unassigned conversations AND conversations assigned to this agent
|
||||
expect(result.count).to eq(2)
|
||||
expect(result).to include(unassigned_conversation)
|
||||
expect(result).to include(assigned_conversation)
|
||||
|
||||
# Should NOT include conversations assigned to others
|
||||
expect(result).not_to include(other_assigned_conversation)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user has both participating and unassigned permissions (hierarchical test)' do
|
||||
it 'gives higher priority to unassigned_manage over participating_manage' do
|
||||
# Create a new isolated test environment
|
||||
test_account = create(:account)
|
||||
test_inbox = create(:inbox, account: test_account)
|
||||
|
||||
# Create test agent
|
||||
test_agent = create(:user, account: test_account, role: :agent)
|
||||
create(:inbox_member, user: test_agent, inbox: test_inbox)
|
||||
|
||||
# Create a custom role with both participating and unassigned permissions
|
||||
permissions = %w[conversation_participating_manage conversation_unassigned_manage]
|
||||
test_custom_role = create(:custom_role, account: test_account, permissions: permissions)
|
||||
|
||||
account_user = AccountUser.find_by(user: test_agent, account: test_account)
|
||||
account_user.update(role: :agent, custom_role: test_custom_role)
|
||||
|
||||
# Create some conversations
|
||||
assigned_to_agent = create(:conversation, account: test_account, inbox: test_inbox, assignee: test_agent)
|
||||
unassigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: nil)
|
||||
other_assigned_conversation = create(:conversation, account: test_account, inbox: test_inbox, assignee: create(:user, account: test_account))
|
||||
|
||||
# Run the test
|
||||
result = Conversations::PermissionFilterService.new(
|
||||
test_account.conversations,
|
||||
test_agent,
|
||||
test_account
|
||||
).perform
|
||||
|
||||
# Should behave the same as conversation_unassigned_manage test
|
||||
# - Show both unassigned and assigned to this agent
|
||||
# - Do not show conversations assigned to others
|
||||
expect(result.count).to eq(2)
|
||||
expect(result).to include(unassigned_conversation)
|
||||
expect(result).to include(assigned_to_agent)
|
||||
expect(result).not_to include(other_assigned_conversation)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user