From f2e52f7f2483d815d33037488570a222172548b0 Mon Sep 17 00:00:00 2001 From: Roman Rizzi Date: Thu, 6 Apr 2023 09:07:31 -0300 Subject: [PATCH] FIX: Check for chat channel permissions (#38) --- .../summarization/summary_controller.rb | 5 ++ config/settings.yml | 2 +- .../summarization/summary_controller_spec.rb | 61 +++++++++++++++---- 3 files changed, 55 insertions(+), 13 deletions(-) diff --git a/app/controllers/discourse_ai/summarization/summary_controller.rb b/app/controllers/discourse_ai/summarization/summary_controller.rb index 11ce36a5..023d91c8 100644 --- a/app/controllers/discourse_ai/summarization/summary_controller.rb +++ b/app/controllers/discourse_ai/summarization/summary_controller.rb @@ -15,6 +15,11 @@ module DiscourseAi chat_channel = Chat::Channel.find_by(id: params[:chat_channel_id]) raise Discourse::NotFound.new(:chat_channel) if !chat_channel + if !(SiteSetting.discourse_ai_enabled && SiteSetting.ai_summarization_enabled) + raise PluginDisabled + end + raise Discourse::InvalidAccess if !guardian.can_join_chat_channel?(chat_channel) + RateLimiter.new( current_user, "ai_summarization", diff --git a/config/settings.yml b/config/settings.yml index add1a923..b7b9c80d 100644 --- a/config/settings.yml +++ b/config/settings.yml @@ -151,7 +151,7 @@ plugins: client: true ai_summarization_enabled: - default: true + default: false client: true ai_summarization_discourse_service_api_endpoint: "" ai_summarization_discourse_service_api_key: "" diff --git a/spec/requests/summarization/summary_controller_spec.rb b/spec/requests/summarization/summary_controller_spec.rb index f4fbbcda..b3c6b735 100644 --- a/spec/requests/summarization/summary_controller_spec.rb +++ b/spec/requests/summarization/summary_controller_spec.rb @@ -2,23 +2,60 @@ RSpec.describe DiscourseAi::Summarization::SummaryController do describe "#chat_channel" do - describe "validating inputs" do - it "returns a 404 if there is no chat channel" do - post "/disoucrse-ai/summarization/chat-channel", params: { chat_channel_id: 99, since: 3 } + fab!(:user) { Fabricate(:user) } + let!(:channel_group) { Fabricate(:group) } + let!(:chat_channel) { Fabricate(:private_category_channel, group: channel_group) } - expect(response.status).to eq(404) + before do + SiteSetting.ai_summarization_enabled = true + sign_in(user) + end + + context "when the user can see the channel" do + before { channel_group.add(user) } + + describe "validating inputs" do + it "returns a 404 if there is no chat channel" do + post "/discourse-ai/summarization/chat-channel", params: { chat_channel_id: 99, since: 3 } + + expect(response.status).to eq(404) + end + + it "returns a 400 if the since param is invalid" do + post "/discourse-ai/summarization/chat-channel", + params: { + chat_channel_id: chat_channel.id, + since: 0, + } + + expect(response.status).to eq(400) + end + + it "returns a 404 when the module is disabled" do + SiteSetting.ai_summarization_enabled = false + + post "/discourse-ai/summarization/chat-channel", + params: { + chat_channel_id: chat_channel.id, + since: 1, + } + + expect(response.status).to eq(404) + end end - it "returns a 400 if the since param is invalid" do - chat_channel = Fabricate(:chat_channel) + context "when the user can't see the channel" do + before { channel_group.remove(user) } - post "/disoucrse-ai/summarization/chat-channel", - params: { - chat_channel_id: chat_channel.id, - since: 0, - } + it "returns a 403 if the user can't see the chat channel" do + post "/discourse-ai/summarization/chat-channel", + params: { + chat_channel_id: chat_channel.id, + since: 1, + } - expect(response.status).to eq(404) + expect(response.status).to eq(403) + end end end end