From 329e8c37c8ebc1b3629c0c3830b0e3070a3adc2a Mon Sep 17 00:00:00 2001
From: Tejaswini Chile <tejaswini@chatwoot.com>
Date: Fri, 2 Sep 2022 23:09:29 +0530
Subject: [PATCH] fix: Validations for updating team members (#5384)

fixes: chatwoot/product#539

Co-authored-by: Sojan Jose <sojan@pepalo.com>
---
 .../api/v1/accounts/team_members_controller.rb    |  7 +++++++
 .../v1/accounts/team_members_controller_spec.rb   | 15 +++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/app/controllers/api/v1/accounts/team_members_controller.rb b/app/controllers/api/v1/accounts/team_members_controller.rb
index 19a46b60793c..0243a915a493 100644
--- a/app/controllers/api/v1/accounts/team_members_controller.rb
+++ b/app/controllers/api/v1/accounts/team_members_controller.rb
@@ -1,6 +1,7 @@
 class Api::V1::Accounts::TeamMembersController < Api::V1::Accounts::BaseController
   before_action :fetch_team
   before_action :check_authorization
+  before_action :validate_member_id_params, only: [:create, :update, :destroy]
 
   def index
     @team_members = @team.team_members.map(&:user)
@@ -45,4 +46,10 @@ def current_members_ids
   def fetch_team
     @team = Current.account.teams.find(params[:team_id])
   end
+
+  def validate_member_id_params
+    invalid_ids = params[:user_ids].map(&:to_i) - @team.account.user_ids
+
+    render json: { error: 'Invalid User IDs' }, status: :unauthorized and return if invalid_ids.present?
+  end
 end
diff --git a/spec/controllers/api/v1/accounts/team_members_controller_spec.rb b/spec/controllers/api/v1/accounts/team_members_controller_spec.rb
index 967b8e79cca9..6643244c2fdb 100644
--- a/spec/controllers/api/v1/accounts/team_members_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/team_members_controller_spec.rb
@@ -2,6 +2,7 @@
 
 RSpec.describe 'Team Members API', type: :request do
   let(:account) { create(:account) }
+  let(:account_2) { create(:account) }
   let!(:team) { create(:team, account: account) }
 
   describe 'GET /api/v1/accounts/{account.id}/teams/{team_id}/team_members' do
@@ -120,6 +121,7 @@
 
     context 'when it is an authenticated user' do
       let(:agent) { create(:user, account: account, role: :agent) }
+      let(:agent_2) { create(:user, account: account_2, role: :agent) }
       let(:administrator) { create(:user, account: account, role: :administrator) }
 
       it 'return unauthorized for agent' do
@@ -145,6 +147,19 @@
         json_response = JSON.parse(response.body)
         expect(json_response.count).to eq(user_ids.count)
       end
+
+      it 'ignores the user ids when its not a valid account user id' do
+        params = { user_ids: [agent_2.id] }
+
+        patch "/api/v1/accounts/#{account.id}/teams/#{team.id}/team_members",
+              params: params,
+              headers: administrator.create_new_auth_token,
+              as: :json
+
+        expect(response).to have_http_status(:unauthorized)
+        json_response = JSON.parse(response.body)
+        expect(json_response['error']).to eq('Invalid User IDs')
+      end
     end
   end
 end