NethVoice CTI: privacy settings are not applied #7363
Description
When privacy is enabled for a user (without queue agent role and QManager
access), the privacy settings are not properly enforced in the operator view.
Users can see phone numbers from other users' calls when they should not have
access to this information.
Privacy enforcement needs to be checked for:
- Internal calls
- Outgoing calls
- Incoming calls:
- Direct calls
- Queue calls
Steps to reproduce
- Install an ns8-nethvoice version before 1.1 (e.g., 1.0.4)
- Create three extensions:
- Alice: 201
- Bob: 202
- Chuck: 203
- Configure the Standard profile:
- Enable Privacy permission
- Disable Advanced queue agent panel
- Configure the Advanced profile:
- Disable Privacy permission
- Enable Advanced queue agent panel
- Configure users:
- Assign Alice the Standard profile and enable web phone
- Assign Bob the Advanced profile and enable web phone
- Assign Chuck the Base profile and enable web phone
- Add a queue from NethVoice Wizard (Advanced → Applications → Queues):
- Queue Number:
701 - Queue Name:
Test - Fail Over Destination:
Extensions - Queue Agents → Dynamic Agents:
- Add user Alice
- Add user Bob
- Queue Number:
- Update to the latest
ns8-nethvoicemodule version - Login as Alice, Bob, and Chuck on NethVoice CTI (use incognito windows and
different browsers) - With Alice and Bob, log into queue
701from the operator Queues page - Alice and Bob should change the Operators page layout to card grid to
see who every operator is talking to - With Chuck, perform a phone call to queue
701 - Make Bob answer the queue call
Expected behavior
Alice shouldn't be able to see who Bob is talking to
Actual behavior
Alice can see who Bob is talking to
Components
ns8-nethvoice, any version before 1.1