From 9454c6b14f75e778ef98cf84bdafdf0ed8ae5705 Mon Sep 17 00:00:00 2001
From: Sojan Jose <sojan@pepalo.com>
Date: Thu, 3 Feb 2022 18:25:28 -0800
Subject: [PATCH] Fix: Conversation filter permissions (#3908)

fixes: chatwoot/product#225
---
 app/finders/conversation_finder.rb       |  2 +-
 spec/finders/conversation_finder_spec.rb | 28 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/app/finders/conversation_finder.rb b/app/finders/conversation_finder.rb
index 3409a24506a4..58013f1282f5 100644
--- a/app/finders/conversation_finder.rb
+++ b/app/finders/conversation_finder.rb
@@ -55,7 +55,7 @@ def set_up
 
   def set_inboxes
     @inbox_ids = if params[:inbox_id]
-                   current_account.inboxes.where(id: params[:inbox_id])
+                   @current_user.assigned_inboxes.where(id: params[:inbox_id])
                  else
                    @current_user.assigned_inboxes.pluck(:id)
                  end
diff --git a/spec/finders/conversation_finder_spec.rb b/spec/finders/conversation_finder_spec.rb
index 67b526b64c01..906c0e3f2e09 100644
--- a/spec/finders/conversation_finder_spec.rb
+++ b/spec/finders/conversation_finder_spec.rb
@@ -6,7 +6,9 @@
   let!(:account) { create(:account) }
   let!(:user_1) { create(:user, account: account) }
   let!(:user_2) { create(:user, account: account) }
+  let!(:admin) { create(:user, account: account, role: :administrator) }
   let!(:inbox) { create(:inbox, account: account, enable_auto_assignment: false) }
+  let!(:restricted_inbox) { create(:inbox, account: account) }
 
   before do
     create(:inbox_member, user: user_1, inbox: inbox)
@@ -30,6 +32,32 @@
       end
     end
 
+    context 'with inbox' do
+      let!(:restricted_conversation) { create(:conversation, account: account, inbox_id: restricted_inbox.id) }
+
+      it 'returns conversation from any inbox if its admin' do
+        params = { inbox_id: restricted_inbox.id }
+        result = described_class.new(admin, params).perform
+
+        expect(result[:conversations].map(&:id)).to include(restricted_conversation.id)
+      end
+
+      it 'returns conversation from inbox if agent is its member' do
+        params = { inbox_id: restricted_inbox.id }
+        create(:inbox_member, user: user_1, inbox: restricted_inbox)
+        result = described_class.new(user_1, params).perform
+
+        expect(result[:conversations].map(&:id)).to include(restricted_conversation.id)
+      end
+
+      it 'does not return conversations from inboxes where agent is not a member' do
+        params = { inbox_id: restricted_inbox.id }
+        result = described_class.new(user_1, params).perform
+
+        expect(result[:conversations].map(&:id)).not_to include(restricted_conversation.id)
+      end
+    end
+
     context 'with assignee_type all' do
       let(:params) { { assignee_type: 'all' } }