NethVoice CTI: privacy settings are not applied

[margit86]

When privacy is enabled for a user (without queue agent role and QManager
access), the privacy settings are not properly enforced in the operator view.
Users can see phone numbers from other users' calls when they should not have
access to this information.

Privacy enforcement needs to be checked for:

• Internal calls
• Outgoing calls
• Incoming calls:
  • Direct calls
  • Queue calls

Steps to reproduce

1. Install an ns8-nethvoice version before 1.1 (e.g., 1.0.4)
2. Create three extensions:
   • Alice: 201
   • Bob: 202
   • Chuck: 203
3. Configure the Standard profile:
   • Enable Privacy permission
   • Disable Advanced queue agent panel
4. Configure the Advanced profile:
   • Disable Privacy permission
   • Enable Advanced queue agent panel
5. Configure users:
   • Assign Alice the Standard profile and enable web phone
   • Assign Bob the Advanced profile and enable web phone
   • Assign Chuck the Base profile and enable web phone
6. Add a queue from NethVoice Wizard (Advanced → Applications → Queues):
   • Queue Number: 701
   • Queue Name: Test
   • Fail Over Destination: Extensions
   • Queue Agents → Dynamic Agents:
     • Add user Alice
     • Add user Bob
7. Update to the latest ns8-nethvoice module version
8. Login as Alice, Bob, and Chuck on NethVoice CTI (use incognito windows and
   different browsers)
9. With Alice and Bob, log into queue 701 from the operator Queues page
10. Alice and Bob should change the Operators page layout to card grid to
    see who every operator is talking to
11. With Chuck, perform a phone call to queue 701
12. Make Bob answer the queue call

Expected behavior

Alice shouldn't be able to see who Bob is talking to

Actual behavior

Alice can see who Bob is talking to

Components

ns8-nethvoice, any version before 1.1

[edospadoni]

Testing release: https://github.com/nethesis/ns8-nethvoice/releases/tag/1.2.3-testing.4

[edospadoni]

Test case:

• check the bug is not reproducible