fix: Update inbox json, removing password (#5981)

- Filter restricted inbox attributes in APIs for agents 

Fixes chatwoot/product#668

Co-authored-by: Sojan Jose <sojan@pepalo.com>

app/views/api/v1/models/_inbox.json.jbuilder

@@ -33,7 +33,7 @@ json.website_token resource.channel.try(:website_token)
 json.selected_feature_flags resource.channel.try(:selected_feature_flags)
 json.reply_time resource.channel.try(:reply_time)
 if resource.web_widget?
-  json.hmac_token resource.channel.try(:hmac_token)
+  json.hmac_token resource.channel.try(:hmac_token) if Current.account_user&.administrator?
   json.pre_chat_form_enabled resource.channel.try(:pre_chat_form_enabled)
   json.pre_chat_form_options resource.channel.try(:pre_chat_form_options)
   json.continuity_via_email resource.channel.try(:continuity_via_email)
@@ -56,29 +56,33 @@ if resource.email?
   json.email resource.channel.try(:email)
 
   ## IMAP
-  json.imap_login resource.channel.try(:imap_login)
-  json.imap_password resource.channel.try(:imap_password)
-  json.imap_address resource.channel.try(:imap_address)
-  json.imap_port resource.channel.try(:imap_port)
-  json.imap_enabled resource.channel.try(:imap_enabled)
-  json.imap_enable_ssl resource.channel.try(:imap_enable_ssl)
+  if Current.account_user&.administrator?
+    json.imap_login resource.channel.try(:imap_login)
+    json.imap_password resource.channel.try(:imap_password)
+    json.imap_address resource.channel.try(:imap_address)
+    json.imap_port resource.channel.try(:imap_port)
+    json.imap_enabled resource.channel.try(:imap_enabled)
+    json.imap_enable_ssl resource.channel.try(:imap_enable_ssl)
+  end
 
   ## SMTP
-  json.smtp_login resource.channel.try(:smtp_login)
-  json.smtp_password resource.channel.try(:smtp_password)
-  json.smtp_address resource.channel.try(:smtp_address)
-  json.smtp_port resource.channel.try(:smtp_port)
-  json.smtp_enabled resource.channel.try(:smtp_enabled)
-  json.smtp_domain resource.channel.try(:smtp_domain)
-  json.smtp_enable_ssl_tls resource.channel.try(:smtp_enable_ssl_tls)
-  json.smtp_enable_starttls_auto resource.channel.try(:smtp_enable_starttls_auto)
-  json.smtp_openssl_verify_mode resource.channel.try(:smtp_openssl_verify_mode)
-  json.smtp_authentication resource.channel.try(:smtp_authentication)
+  if Current.account_user&.administrator?
+    json.smtp_login resource.channel.try(:smtp_login)
+    json.smtp_password resource.channel.try(:smtp_password)
+    json.smtp_address resource.channel.try(:smtp_address)
+    json.smtp_port resource.channel.try(:smtp_port)
+    json.smtp_enabled resource.channel.try(:smtp_enabled)
+    json.smtp_domain resource.channel.try(:smtp_domain)
+    json.smtp_enable_ssl_tls resource.channel.try(:smtp_enable_ssl_tls)
+    json.smtp_enable_starttls_auto resource.channel.try(:smtp_enable_starttls_auto)
+    json.smtp_openssl_verify_mode resource.channel.try(:smtp_openssl_verify_mode)
+    json.smtp_authentication resource.channel.try(:smtp_authentication)
+  end
 end
 
 ## API Channel Attributes
 if resource.api?
-  json.hmac_token resource.channel.try(:hmac_token)
+  json.hmac_token resource.channel.try(:hmac_token) if Current.account_user&.administrator?
   json.webhook_url resource.channel.try(:webhook_url)
   json.inbox_identifier resource.channel.try(:identifier)
   json.additional_attributes resource.channel.try(:additional_attributes)

spec/controllers/api/v1/accounts/inboxes_controller_spec.rb

@@ -103,7 +103,62 @@ RSpec.describe 'Inboxes API', type: :request do
             as: :json
 
         expect(response).to have_http_status(:success)
-        expect(JSON.parse(response.body, symbolize_names: true)[:id]).to eq(inbox.id)
+        data = JSON.parse(response.body, symbolize_names: true)
+        expect(data[:id]).to eq(inbox.id)
+        expect(data[:hmac_token]).to be_nil
+      end
+
+      it 'returns empty imap details in inbox when agent' do
+        email_channel = create(:channel_email, account: account, imap_enabled: true, imap_login: 'test@test.com')
+        email_inbox = create(:inbox, channel: email_channel, account: account)
+        create(:inbox_member, user: agent, inbox: email_inbox)
+
+        imap_connection = double
+        allow(Mail).to receive(:connection).and_return(imap_connection)
+
+        get "/api/v1/accounts/#{account.id}/inboxes/#{email_inbox.id}",
+            headers: agent.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:success)
+        data = JSON.parse(response.body, symbolize_names: true)
+
+        expect(data[:imap_enabled]).to be_nil
+        expect(data[:imap_login]).to be_nil
+      end
+
+      it 'returns imap details in inbox when admin' do
+        email_channel = create(:channel_email, account: account, imap_enabled: true, imap_login: 'test@test.com')
+        email_inbox = create(:inbox, channel: email_channel, account: account)
+
+        imap_connection = double
+        allow(Mail).to receive(:connection).and_return(imap_connection)
+
+        get "/api/v1/accounts/#{account.id}/inboxes/#{email_inbox.id}",
+            headers: admin.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:success)
+        data = JSON.parse(response.body, symbolize_names: true)
+
+        expect(data[:imap_enabled]).to be_truthy
+        expect(data[:imap_login]).to eq('test@test.com')
+      end
+
+      it 'fetch API inbox without hmac token when agent' do
+        api_channel = create(:channel_api, account: account)
+        api_inbox = create(:inbox, channel: api_channel, account: account)
+        create(:inbox_member, user: agent, inbox: api_inbox)
+
+        get "/api/v1/accounts/#{account.id}/inboxes/#{api_inbox.id}",
+            headers: agent.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:success)
+
+        data = JSON.parse(response.body, symbolize_names: true)
+
+        expect(data[:hmac_token]).to be_nil
       end
     end
   end