Ensure conversation access honors permissions

app/controllers/api/v1/accounts/conversations_controller.rb

@@ -160,6 +160,7 @@ class Api::V1::Accounts::ConversationsController < Api::V1::Accounts::BaseContro
 
   def conversation
     @conversation ||= Current.account.conversations.find_by!(display_id: params[:id])
+    authorize @conversation
     authorize @conversation.inbox, :show?
   end
 

app/policies/conversation_policy.rb

@@ -1,4 +1,14 @@
 class ConversationPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+    def resolve
+      return scope if user.is_a?(AgentBot)
+      return scope.none if account.blank?
+
+      conversations = scope.where(account_id: account.id)
+      Conversations::PermissionFilterService.new(conversations, user, account).perform
+    end
+  end
+
   def index?
     true
   end