scottk/chatwoot
1
0
Fork 0
mirror of https://github.com/lingble/chatwoot.git synced 2025-11-01 03:27:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure conversation access honors permissions

Browse Source
This commit is contained in:
Sojan Jose
2025-10-03 14:27:22 +05:30
parent 66cfef9298
commit 906b14d825
2 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/api/v1/accounts/conversations_controller.rb
View File

@@ -160,6 +160,7 @@ class Api::V1::Accounts::ConversationsController < Api::V1::Accounts::BaseContro
def conversation def conversation
@conversation ||= Current.account.conversations.find_by!(display_id: params[:id]) @conversation ||= Current.account.conversations.find_by!(display_id: params[:id])
authorize @conversation
authorize @conversation.inbox, :show? authorize @conversation.inbox, :show?
end end

10
app/policies/conversation_policy.rb
View File

@@ -1,4 +1,14 @@
class ConversationPolicy < ApplicationPolicy class ConversationPolicy < ApplicationPolicy
class Scope < ApplicationPolicy::Scope
def resolve
return scope if user.is_a?(AgentBot)
return scope.none if account.blank?
conversations = scope.where(account_id: account.id)
Conversations::PermissionFilterService.new(conversations, user, account).perform
end
end
def index? def index?
true true
end end