From 3083f74d450cf9f51a4fcc5ef17928bc1b9a04ae Mon Sep 17 00:00:00 2001 From: Tejaswini Chile Date: Wed, 30 Nov 2022 15:34:46 +0530 Subject: [PATCH] fix: Update inbox json, removing password (#5981) - Filter restricted inbox attributes in APIs for agents Fixes chatwoot/product#668 Co-authored-by: Sojan Jose --- app/views/api/v1/models/_inbox.json.jbuilder | 40 +++++++------ .../v1/accounts/inboxes_controller_spec.rb | 57 ++++++++++++++++++- 2 files changed, 78 insertions(+), 19 deletions(-) diff --git a/app/views/api/v1/models/_inbox.json.jbuilder b/app/views/api/v1/models/_inbox.json.jbuilder index 414dc250a323..0df3ca5a7fa7 100644 --- a/app/views/api/v1/models/_inbox.json.jbuilder +++ b/app/views/api/v1/models/_inbox.json.jbuilder @@ -33,7 +33,7 @@ json.website_token resource.channel.try(:website_token) json.selected_feature_flags resource.channel.try(:selected_feature_flags) json.reply_time resource.channel.try(:reply_time) if resource.web_widget? - json.hmac_token resource.channel.try(:hmac_token) + json.hmac_token resource.channel.try(:hmac_token) if Current.account_user&.administrator? json.pre_chat_form_enabled resource.channel.try(:pre_chat_form_enabled) json.pre_chat_form_options resource.channel.try(:pre_chat_form_options) json.continuity_via_email resource.channel.try(:continuity_via_email) @@ -56,29 +56,33 @@ if resource.email? json.email resource.channel.try(:email) ## IMAP - json.imap_login resource.channel.try(:imap_login) - json.imap_password resource.channel.try(:imap_password) - json.imap_address resource.channel.try(:imap_address) - json.imap_port resource.channel.try(:imap_port) - json.imap_enabled resource.channel.try(:imap_enabled) - json.imap_enable_ssl resource.channel.try(:imap_enable_ssl) + if Current.account_user&.administrator? + json.imap_login resource.channel.try(:imap_login) + json.imap_password resource.channel.try(:imap_password) + json.imap_address resource.channel.try(:imap_address) + json.imap_port resource.channel.try(:imap_port) + json.imap_enabled resource.channel.try(:imap_enabled) + json.imap_enable_ssl resource.channel.try(:imap_enable_ssl) + end ## SMTP - json.smtp_login resource.channel.try(:smtp_login) - json.smtp_password resource.channel.try(:smtp_password) - json.smtp_address resource.channel.try(:smtp_address) - json.smtp_port resource.channel.try(:smtp_port) - json.smtp_enabled resource.channel.try(:smtp_enabled) - json.smtp_domain resource.channel.try(:smtp_domain) - json.smtp_enable_ssl_tls resource.channel.try(:smtp_enable_ssl_tls) - json.smtp_enable_starttls_auto resource.channel.try(:smtp_enable_starttls_auto) - json.smtp_openssl_verify_mode resource.channel.try(:smtp_openssl_verify_mode) - json.smtp_authentication resource.channel.try(:smtp_authentication) + if Current.account_user&.administrator? + json.smtp_login resource.channel.try(:smtp_login) + json.smtp_password resource.channel.try(:smtp_password) + json.smtp_address resource.channel.try(:smtp_address) + json.smtp_port resource.channel.try(:smtp_port) + json.smtp_enabled resource.channel.try(:smtp_enabled) + json.smtp_domain resource.channel.try(:smtp_domain) + json.smtp_enable_ssl_tls resource.channel.try(:smtp_enable_ssl_tls) + json.smtp_enable_starttls_auto resource.channel.try(:smtp_enable_starttls_auto) + json.smtp_openssl_verify_mode resource.channel.try(:smtp_openssl_verify_mode) + json.smtp_authentication resource.channel.try(:smtp_authentication) + end end ## API Channel Attributes if resource.api? - json.hmac_token resource.channel.try(:hmac_token) + json.hmac_token resource.channel.try(:hmac_token) if Current.account_user&.administrator? json.webhook_url resource.channel.try(:webhook_url) json.inbox_identifier resource.channel.try(:identifier) json.additional_attributes resource.channel.try(:additional_attributes) diff --git a/spec/controllers/api/v1/accounts/inboxes_controller_spec.rb b/spec/controllers/api/v1/accounts/inboxes_controller_spec.rb index 83a84952c3fe..577ed0365c90 100644 --- a/spec/controllers/api/v1/accounts/inboxes_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/inboxes_controller_spec.rb @@ -103,7 +103,62 @@ as: :json expect(response).to have_http_status(:success) - expect(JSON.parse(response.body, symbolize_names: true)[:id]).to eq(inbox.id) + data = JSON.parse(response.body, symbolize_names: true) + expect(data[:id]).to eq(inbox.id) + expect(data[:hmac_token]).to be_nil + end + + it 'returns empty imap details in inbox when agent' do + email_channel = create(:channel_email, account: account, imap_enabled: true, imap_login: 'test@test.com') + email_inbox = create(:inbox, channel: email_channel, account: account) + create(:inbox_member, user: agent, inbox: email_inbox) + + imap_connection = double + allow(Mail).to receive(:connection).and_return(imap_connection) + + get "/api/v1/accounts/#{account.id}/inboxes/#{email_inbox.id}", + headers: agent.create_new_auth_token, + as: :json + + expect(response).to have_http_status(:success) + data = JSON.parse(response.body, symbolize_names: true) + + expect(data[:imap_enabled]).to be_nil + expect(data[:imap_login]).to be_nil + end + + it 'returns imap details in inbox when admin' do + email_channel = create(:channel_email, account: account, imap_enabled: true, imap_login: 'test@test.com') + email_inbox = create(:inbox, channel: email_channel, account: account) + + imap_connection = double + allow(Mail).to receive(:connection).and_return(imap_connection) + + get "/api/v1/accounts/#{account.id}/inboxes/#{email_inbox.id}", + headers: admin.create_new_auth_token, + as: :json + + expect(response).to have_http_status(:success) + data = JSON.parse(response.body, symbolize_names: true) + + expect(data[:imap_enabled]).to be_truthy + expect(data[:imap_login]).to eq('test@test.com') + end + + it 'fetch API inbox without hmac token when agent' do + api_channel = create(:channel_api, account: account) + api_inbox = create(:inbox, channel: api_channel, account: account) + create(:inbox_member, user: agent, inbox: api_inbox) + + get "/api/v1/accounts/#{account.id}/inboxes/#{api_inbox.id}", + headers: agent.create_new_auth_token, + as: :json + + expect(response).to have_http_status(:success) + + data = JSON.parse(response.body, symbolize_names: true) + + expect(data[:hmac_token]).to be_nil end end end