diff --git a/app/controllers/api/v1/accounts/team_members_controller.rb b/app/controllers/api/v1/accounts/team_members_controller.rb index 19a46b607..0243a915a 100644 --- a/app/controllers/api/v1/accounts/team_members_controller.rb +++ b/app/controllers/api/v1/accounts/team_members_controller.rb @@ -1,6 +1,7 @@ class Api::V1::Accounts::TeamMembersController < Api::V1::Accounts::BaseController before_action :fetch_team before_action :check_authorization + before_action :validate_member_id_params, only: [:create, :update, :destroy] def index @team_members = @team.team_members.map(&:user) @@ -45,4 +46,10 @@ class Api::V1::Accounts::TeamMembersController < Api::V1::Accounts::BaseControll def fetch_team @team = Current.account.teams.find(params[:team_id]) end + + def validate_member_id_params + invalid_ids = params[:user_ids].map(&:to_i) - @team.account.user_ids + + render json: { error: 'Invalid User IDs' }, status: :unauthorized and return if invalid_ids.present? + end end diff --git a/spec/controllers/api/v1/accounts/team_members_controller_spec.rb b/spec/controllers/api/v1/accounts/team_members_controller_spec.rb index 967b8e79c..6643244c2 100644 --- a/spec/controllers/api/v1/accounts/team_members_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/team_members_controller_spec.rb @@ -2,6 +2,7 @@ require 'rails_helper' RSpec.describe 'Team Members API', type: :request do let(:account) { create(:account) } + let(:account_2) { create(:account) } let!(:team) { create(:team, account: account) } describe 'GET /api/v1/accounts/{account.id}/teams/{team_id}/team_members' do @@ -120,6 +121,7 @@ RSpec.describe 'Team Members API', type: :request do context 'when it is an authenticated user' do let(:agent) { create(:user, account: account, role: :agent) } + let(:agent_2) { create(:user, account: account_2, role: :agent) } let(:administrator) { create(:user, account: account, role: :administrator) } it 'return unauthorized for agent' do @@ -145,6 +147,19 @@ RSpec.describe 'Team Members API', type: :request do json_response = JSON.parse(response.body) expect(json_response.count).to eq(user_ids.count) end + + it 'ignores the user ids when its not a valid account user id' do + params = { user_ids: [agent_2.id] } + + patch "/api/v1/accounts/#{account.id}/teams/#{team.id}/team_members", + params: params, + headers: administrator.create_new_auth_token, + as: :json + + expect(response).to have_http_status(:unauthorized) + json_response = JSON.parse(response.body) + expect(json_response['error']).to eq('Invalid User IDs') + end end end end