Fix: Conversation filter permissions (#3908)

fixes: chatwoot/product#225
2025-10-30 02:32:29 +00:00 · 2022-02-03 18:25:28 -08:00
parent cf10f3d03b
commit 9454c6b14f
2 changed files with 29 additions and 1 deletions
--- a/app/finders/conversation_finder.rb
+++ b/app/finders/conversation_finder.rb
@@ -55,7 +55,7 @@ class ConversationFinder

  def set_inboxes
    @inbox_ids = if params[:inbox_id]
-                   current_account.inboxes.where(id: params[:inbox_id])
+                   @current_user.assigned_inboxes.where(id: params[:inbox_id])
                 else
                   @current_user.assigned_inboxes.pluck(:id)
                 end
--- a/spec/finders/conversation_finder_spec.rb
+++ b/spec/finders/conversation_finder_spec.rb
@@ -6,7 +6,9 @@ describe ::ConversationFinder do
  let!(:account) { create(:account) }
  let!(:user_1) { create(:user, account: account) }
  let!(:user_2) { create(:user, account: account) }
+  let!(:admin) { create(:user, account: account, role: :administrator) }
  let!(:inbox) { create(:inbox, account: account, enable_auto_assignment: false) }
+  let!(:restricted_inbox) { create(:inbox, account: account) }

  before do
    create(:inbox_member, user: user_1, inbox: inbox)
@@ -30,6 +32,32 @@ describe ::ConversationFinder do
      end
    end

+    context 'with inbox' do
+      let!(:restricted_conversation) { create(:conversation, account: account, inbox_id: restricted_inbox.id) }
+
+      it 'returns conversation from any inbox if its admin' do
+        params = { inbox_id: restricted_inbox.id }
+        result = described_class.new(admin, params).perform
+
+        expect(result[:conversations].map(&:id)).to include(restricted_conversation.id)
+      end
+
+      it 'returns conversation from inbox if agent is its member' do
+        params = { inbox_id: restricted_inbox.id }
+        create(:inbox_member, user: user_1, inbox: restricted_inbox)
+        result = described_class.new(user_1, params).perform
+
+        expect(result[:conversations].map(&:id)).to include(restricted_conversation.id)
+      end
+
+      it 'does not return conversations from inboxes where agent is not a member' do
+        params = { inbox_id: restricted_inbox.id }
+        result = described_class.new(user_1, params).perform
+
+        expect(result[:conversations].map(&:id)).not_to include(restricted_conversation.id)
+      end
+    end
+
    context 'with assignee_type all' do
      let(:params) { { assignee_type: 'all' } }