mirror of
https://github.com/lingble/chatwoot.git
synced 2025-11-02 12:08:01 +00:00
27430752b5
Previously, agent bots weren’t allowed to edit custom attributes in conversations. But with AI, it’s now more feasible to return accurate and useful attributes. Since there’s no strong reason to block this, this PR enables bots to update custom attributes. Fixes https://github.com/chatwoot/chatwoot/issues/11378
39 lines
1.2 KiB
Ruby
39 lines
1.2 KiB
Ruby
module AccessTokenAuthHelper
|
|
BOT_ACCESSIBLE_ENDPOINTS = {
|
|
'api/v1/accounts/conversations' => %w[toggle_status toggle_priority create update custom_attributes],
|
|
'api/v1/accounts/conversations/messages' => ['create'],
|
|
'api/v1/accounts/conversations/assignments' => ['create']
|
|
}.freeze
|
|
|
|
def ensure_access_token
|
|
token = request.headers[:api_access_token] || request.headers[:HTTP_API_ACCESS_TOKEN]
|
|
@access_token = AccessToken.find_by(token: token) if token.present?
|
|
end
|
|
|
|
def authenticate_access_token!
|
|
ensure_access_token
|
|
render_unauthorized('Invalid Access Token') && return if @access_token.blank?
|
|
|
|
@resource = @access_token.owner
|
|
Current.user = @resource if allowed_current_user_type?(@resource)
|
|
end
|
|
|
|
def allowed_current_user_type?(resource)
|
|
return true if resource.is_a?(User)
|
|
return true if resource.is_a?(AgentBot)
|
|
|
|
false
|
|
end
|
|
|
|
def validate_bot_access_token!
|
|
return if Current.user.is_a?(User)
|
|
return if agent_bot_accessible?
|
|
|
|
render_unauthorized('Access to this endpoint is not authorized for bots')
|
|
end
|
|
|
|
def agent_bot_accessible?
|
|
BOT_ACCESSIBLE_ENDPOINTS.fetch(params[:controller], []).include?(params[:action])
|
|
end
|
|
end
|