FIX: Check for chat channel permissions (#38)

2023-04-06 09:07:31 -03:00 · 2023-04-06 09:07:31 -03:00 · f2e52f7f24
parent 5549e4d5b3
commit f2e52f7f24
3 changed files with 55 additions and 13 deletions
--- a/app/controllers/discourse_ai/summarization/summary_controller.rb
+++ b/app/controllers/discourse_ai/summarization/summary_controller.rb
@ -15,6 +15,11 @@ module DiscourseAi
        chat_channel = Chat::Channel.find_by(id: params[:chat_channel_id])
        raise Discourse::NotFound.new(:chat_channel) if !chat_channel

+        if !(SiteSetting.discourse_ai_enabled && SiteSetting.ai_summarization_enabled)
+          raise PluginDisabled
+        end
+        raise Discourse::InvalidAccess if !guardian.can_join_chat_channel?(chat_channel)
+
        RateLimiter.new(
          current_user,
          "ai_summarization",
--- a/config/settings.yml
+++ b/config/settings.yml
@ -151,7 +151,7 @@ plugins:
    client: true

  ai_summarization_enabled:
-    default: true
+    default: false
    client: true
  ai_summarization_discourse_service_api_endpoint: ""
  ai_summarization_discourse_service_api_key: ""
--- a/spec/requests/summarization/summary_controller_spec.rb
+++ b/spec/requests/summarization/summary_controller_spec.rb
@ -2,23 +2,60 @@

 RSpec.describe DiscourseAi::Summarization::SummaryController do
  describe "#chat_channel" do
-    describe "validating inputs" do
-      it "returns a 404 if there is no chat channel" do
-        post "/disoucrse-ai/summarization/chat-channel", params: { chat_channel_id: 99, since: 3 }
+    fab!(:user) { Fabricate(:user) }
+    let!(:channel_group) { Fabricate(:group) }
+    let!(:chat_channel) { Fabricate(:private_category_channel, group: channel_group) }

-        expect(response.status).to eq(404)
+    before do
+      SiteSetting.ai_summarization_enabled = true
+      sign_in(user)
+    end
+
+    context "when the user can see the channel" do
+      before { channel_group.add(user) }
+
+      describe "validating inputs" do
+        it "returns a 404 if there is no chat channel" do
+          post "/discourse-ai/summarization/chat-channel", params: { chat_channel_id: 99, since: 3 }
+
+          expect(response.status).to eq(404)
+        end
+
+        it "returns a 400 if the since param is invalid" do
+          post "/discourse-ai/summarization/chat-channel",
+               params: {
+                 chat_channel_id: chat_channel.id,
+                 since: 0,
+               }
+
+          expect(response.status).to eq(400)
+        end
+
+        it "returns a 404 when the module is disabled" do
+          SiteSetting.ai_summarization_enabled = false
+
+          post "/discourse-ai/summarization/chat-channel",
+               params: {
+                 chat_channel_id: chat_channel.id,
+                 since: 1,
+               }
+
+          expect(response.status).to eq(404)
+        end
      end

-      it "returns a 400 if the since param is invalid" do
-        chat_channel = Fabricate(:chat_channel)
+      context "when the user can't see the channel" do
+        before { channel_group.remove(user) }

-        post "/disoucrse-ai/summarization/chat-channel",
-             params: {
-               chat_channel_id: chat_channel.id,
-               since: 0,
-             }
+        it "returns a 403 if the user can't see the chat channel" do
+          post "/discourse-ai/summarization/chat-channel",
+               params: {
+                 chat_channel_id: chat_channel.id,
+                 since: 1,
+               }

-        expect(response.status).to eq(404)
+          expect(response.status).to eq(403)
+        end
      end
    end
  end