Roles, permissions & inbox Recently Changed
How the pieces fit together
No test cases yet.
Organization setting: `conversation_visibility`
No test cases yet.
Route-level RBAC (high level)
No test cases yet.
Database migration `0046_conv_vis_rbac`
No test cases yet.
Frontend behavior
No test cases yet.
Manual test cases
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| RBZ-001 | Default visibility after migration | DB upgraded through `0046`; org never changed setting | 1. Log in as non-Admin with inbox perms 2. Open `/chat` | Full queue visible (same as pre-RBAC behavior); `organizations.conversation_visibility` reads `org` | High |
| RBZ-002 | Admin always sees full queue | Org visibility set to `assigned`; conversations exist assigned to others | 1. Log in as org Admin 2. Open `/chat` | All conversations listed; can open any thread | High |
| RBZ-003 | `assigned` hides others’ threads | Org visibility `assigned`; Agent A and B; conv assigned to B | 1. Log in as A 2. List and open B’s conversation URL directly | List excludes B’s row; GET conversation/messages returns **403** for B’s id | High |
| RBZ-004 | `assigned_plus_unassigned` pool | Org visibility set accordingly; mix of assigned and unassigned rows | 1. Log in as agent 2. Observe list with filter `all` | Sees own assigned + unassigned only; not others’ assigned | High |
| RBZ-005 | `team` includes team + unassigned | Agent in Team X; conv assigned to Team X; another only to Team Y | Log in as agent | Sees own, Team X, and unassigned; not Team Y-only rows (unless also self/unassigned) | High |
| RBZ-006 | Superadmin bypass | Same as RBZ-003 but user is superadmin | Open any conversation in org | Full access; no visibility 403 | Medium |
| RBZ-010 | Assign without write | Role has `conversations:read` + `conversations:assign` but **not** `conversations:write` | PATCH only `assigned_user_id` / `assigned_team_id` | **200**; assignment updates | High |
| RBZ-011 | Status without assign | Role has read+write, **no** `conversations:assign` | PATCH only `status` | **200** | High |
| RBZ-012 | Assign without assign perm | Role has read+write only | PATCH assignment fields | **403** `Missing required permission: conversations:assign` | High |
| RBZ-013 | Status without write | Role has read+assign only | PATCH `status` | **403** `Missing required permission: conversations:write` | High |
| RBZ-020 | Messages blocked when thread forbidden | Visibility hides conversation | `GET/POST` messages endpoints for that id | **403** on access check (after 404 if id invalid) | High |
| RBZ-021 | Contacts require read | Role without `contacts:read` | `GET /contacts` | **403** | High |
| RBZ-022 | Contact write for mutations | Role with read only | `PATCH /contacts/{id}` | **403** | High |
| RBZ-030 | Visibility control visible to org editor | Admin on Organization tab | Set visibility to `team`, Save | Success; reload chat; policy applied | High |
| RBZ-031 | SME template applies checkboxes | Admin on Roles, edit a custom role | Click e.g. “Support agent” preset then Save | Role permissions match template set in code | Medium |
| RBZ-032 | Default filter mine when `assigned` | Fresh session, visibility `assigned` | Navigate to `/chat` once | Initial filter is **Mine** (`assigned_to_me=true` in network tab) | High |
| RBZ-040 | Scoped visibility refetch | Visibility ≠ `org`; two agents | Reassign conversation out of agent’s scope via another user | Agent receives `conversation_update`; list refetches; active thread cleared if gone | High |
| RBZ-041 | Org mode in-place update | Visibility `org` | Assignment update | List row updates without full list refetch (prior behavior) | Medium |
Related docs
No test cases yet.
Engineering references (read-only)
No test cases yet.