discourse-data-explorer/spec/controllers/queries_controller_spec.rb

455 lines
15 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
2016-04-11 17:13:51 -04:00
require 'rails_helper'
2015-07-15 16:20:42 -04:00
describe DataExplorer::QueryController do
def response_json
MultiJson.load(response.body)
end
before do
SiteSetting.data_explorer_enabled = true
end
def make_query(sql, opts = {}, group_ids = [])
query = DataExplorer::Query.create!(name: opts[:name] || "Query number", description: "A description for query number", sql: sql, hidden: opts[:hidden] || false)
group_ids.each do |group_id|
query.query_groups.create!(group_id: group_id)
end
query
2015-07-15 16:20:42 -04:00
end
describe "Admin" do
routes { ::DataExplorer::Engine.routes }
2016-08-19 04:46:03 -04:00
let!(:admin) { log_in_user(Fabricate(:admin)) }
2016-08-19 04:46:03 -04:00
describe "when disabled" do
before do
SiteSetting.data_explorer_enabled = false
end
it 'denies every request' do
get :index
expect(response.body).to be_empty
2016-08-19 04:46:03 -04:00
get :index, format: :json
expect(response.status).to eq(404)
2016-08-19 04:46:03 -04:00
get :schema, format: :json
expect(response.status).to eq(404)
2016-08-19 04:46:03 -04:00
get :show, params: { id: 3 }, format: :json
expect(response.status).to eq(404)
2016-08-19 04:46:03 -04:00
post :create, params: { id: 3 }, format: :json
expect(response.status).to eq(404)
2016-08-19 04:46:03 -04:00
post :run, params: { id: 3 }, format: :json
expect(response.status).to eq(404)
2015-07-15 16:20:42 -04:00
put :update, params: { id: 3 }, format: :json
expect(response.status).to eq(404)
delete :destroy, params: { id: 3 }, format: :json
expect(response.status).to eq(404)
end
end
describe "#index" do
before do
require_dependency File.expand_path('../../../lib/queries.rb', __FILE__)
end
it "behaves nicely with no user created queries" do
DataExplorer::Query.destroy_all
get :index, format: :json
expect(response.status).to eq(200)
expect(response_json['queries'].count).to eq(Queries.default.count)
end
it "shows all available queries in alphabetical order" do
DataExplorer::Query.destroy_all
make_query('SELECT 1 as value', name: 'B')
make_query('SELECT 1 as value', name: 'A')
get :index, format: :json
expect(response.status).to eq(200)
expect(response_json['queries'].length).to eq(Queries.default.count + 2)
expect(response_json['queries'][0]['name']).to eq('A')
expect(response_json['queries'][1]['name']).to eq('B')
end
FEATURE: Add ability to soft delete (hide) queries and revert deletion with rake tasks (#54) * FEATURE: Add hide button (toggleable) for all queries (frontend only) * Switches between hide/unhide on click * Works almost like the delete button, but toggles between the query's hidden attribute instead * So far this is only a frontend feature, the backend implementation still needs work * Revert "FEATURE: Add hide button (toggleable) for all queries (frontend only)" This reverts commit a8771d2ad57083a91b7130df807fa54c26205d11. REVERT: Remove button that hides queries (frontend) * Prepare for migration of old frontend logic to backend * We are going to reuse the existing delete button, but change its backend logic to enable soft deletion. From the user's perspective nothing will change, but any deletion mistakes can be reverted. * DEV: Hide user queries upon deletion, but keep them in store * Creating a new query will set its hidden attribute to false by default * Deleting a user-made query will not delete it from the store, but set its hidden attribute to true * User queries will not be indexed if they are hidden * Undeleting a query will unhide it, and will be indexed * Updating a hidden query will unhide it, and will be indexed * SPEC: Add spec for hidden/deleted queries * Hidden queries should not be shown * FEATURE: Add ability to delete/hide system queries * System queries are now able to be deleted from view, but will remain in the backend for retrieval, if necessary * FEATURE/DEV: Add rake commands for query soft deletion * query:list_hidden - Shows a list of hidden queries * query:hide_all[only_default] - Hides all queries, w/ boolean arg to hide only default ones * query:unhide[id] - Unhides a query by id * query:unhide_all[exclude_default] - Unhides all hidden queries, w/ boolean arg to exclude default ones * Remove rails loggers * UX/DEV: Update query rake tasks to be more user friendly * Split query:hide_all[only_default] into two tasks: * query:hide_all - Hides all queries * query:hide_all:only_default - Hide only default queries * Split query:unhide_all[exclude_default] into two tasks: * query:unhide_all - Unhides all hidden queries * query:unhide_all:exclude_default - Unhides all non-default queries * Rename file to match task name * UX: query:unhide can accept multiple arguments * Example: rake query:unhide[-5,-6,-7,3,5,6,-13,-14,-10] * UX: Update query rake tasks to output cleaner messages * Remove unneeded comment * DEV: Keep only necessary rake tasks, use more specific naming * UX/DEV: Add rake task for hard deletion, better console logs * User is able to hard delete a query only if it is hidden, otherwise output a message stating so * Add commented examples above each task * Add rainbow support for more readable console logs * Successful messages will display green, failures display red, additional info displays yellow * Separate multiple queries with spaces instead of lines * DEV: Remove rainbow colorizing in console logs * Rainbow is a dependency of rubocop and it may go away in the future * Rainbow is only used for dev and test environments * DEV: Add Rails engine to enable rake tasks to be loaded at runtime * DEV: Favor require - load files only if they are not already loaded * SPEC: Add tests for data_explorer[id] rake command * Test if a single query is hidden correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element * Expect that one element to have the same ID as the one invoked to be hidden * Test if multiple queries are hidden correctly * Expect length of query list to not be modified * Expect array of hidden queries to have the number of elements equal to the number invoked to be hidden * Expect the elements to have the same ID as the ones invoked to be hidden * Test if a query exists in PluginStore * Expect query list to be empty * DEV: Clear pre-existing tasks before redefining * This prevents double invocation when user invokes the task once * SPEC: Add tests for unhide_query rake task * Test if a single query unhides correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element after unhiding 1 of 2 queries * Expect remaining element to be hidden * Test if multiple queries unhide correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element after unhiding 3 of 4 queries * Expect remaining element to be hidden * Test if a query exists in PluginStore * Expect query list to not be modified * SPEC: Add tests for hard_delete rake task * Test if a single query hard deletes correctly * Expect length of query list to be shorter by 1 * Expect array of hidden queries to have exactly 1 element after hard deleting 1 of 2 queries * Expect 1 remaining hidden element * Test if multiple queries hard delete correctly * Expect length of query list to be shorter by 3 after hard deleting 3 of 4 queries * Expect array of hidden queries to have exactly 1 element after hard deleting 3 of 4 queries * Expect 1 remaining hidden element * Test if a query exists in PluginStore * Expect hidden query list to not be modified * Test if a query is not hidden * Expect query list to not be modified * UX: Favor newline char in place of puts for logs * Condensed console logs to output newline char instead of another puts statement (reduces number of lines used significantly)
2020-07-29 02:50:24 -04:00
it "doesn't show hidden/deleted queries" do
DataExplorer::Query.destroy_all
make_query('SELECT 1 as value', name: 'A', hidden: false)
make_query('SELECT 1 as value', name: 'B', hidden: true)
make_query('SELECT 1 as value', name: 'C', hidden: true)
get :index, format: :json
expect(response.status).to eq(200)
expect(response_json['queries'].length).to eq(Queries.default.count + 1)
end
2015-07-15 16:20:42 -04:00
end
describe "#run" do
let!(:admin) { log_in(:admin) }
def run_query(id, params = {})
params = Hash[params.map { |a| [a[0], a[1].to_s] }]
post :run, params: { id: id, _params: MultiJson.dump(params) }, format: :json
end
it "can run queries" do
q = make_query('SELECT 23 as my_value')
run_query q.id
expect(response.status).to eq(200)
expect(response_json['success']).to eq(true)
expect(response_json['errors']).to eq([])
expect(response_json['columns']).to eq(['my_value'])
expect(response_json['rows']).to eq([[23]])
end
it "can process parameters" do
q = make_query <<~SQL
-- [params]
-- int :foo = 34
SELECT :foo as my_value
SQL
run_query q.id, foo: 23
expect(response.status).to eq(200)
expect(response_json['errors']).to eq([])
expect(response_json['success']).to eq(true)
expect(response_json['columns']).to eq(['my_value'])
expect(response_json['rows']).to eq([[23]])
run_query q.id
expect(response.status).to eq(200)
expect(response_json['errors']).to eq([])
expect(response_json['success']).to eq(true)
expect(response_json['columns']).to eq(['my_value'])
expect(response_json['rows']).to eq([[34]])
# 2.3 is not an integer
run_query q.id, foo: '2.3'
expect(response.status).to eq(422)
expect(response_json['errors']).to_not eq([])
expect(response_json['success']).to eq(false)
expect(response_json['errors'].first).to match(/ValidationError/)
end
it "doesn't allow you to modify the database #1" do
p = create_post
q = make_query <<~SQL
UPDATE posts SET cooked = '<p>you may already be a winner!</p>' WHERE id = #{p.id}
RETURNING id
SQL
run_query q.id
p.reload
# Manual Test - comment out the following lines:
# DB.exec "SET TRANSACTION READ ONLY"
# raise ActiveRecord::Rollback
# This test should fail on the below check.
expect(p.cooked).to_not match(/winner/)
expect(response.status).to eq(422)
expect(response_json['errors']).to_not eq([])
expect(response_json['success']).to eq(false)
expect(response_json['errors'].first).to match(/read-only transaction/)
end
it "doesn't allow you to modify the database #2" do
p = create_post
q = make_query <<~SQL
SELECT 1
)
SELECT * FROM query;
RELEASE SAVEPOINT active_record_1;
SET TRANSACTION READ WRITE;
UPDATE posts SET cooked = '<p>you may already be a winner!</p>' WHERE id = #{p.id};
SAVEPOINT active_record_1;
SET TRANSACTION READ ONLY;
WITH query AS (
SELECT 1
SQL
run_query q.id
p.reload
# Manual Test - change out the following line:
#
# module ::DataExplorer
# def self.run_query(...)
# if query.sql =~ /;/
#
# to
#
# if false && query.sql =~ /;/
#
# Afterwards, this test should fail on the below check.
expect(p.cooked).to_not match(/winner/)
expect(response.status).to eq(422)
expect(response_json['errors']).to_not eq([])
expect(response_json['success']).to eq(false)
expect(response_json['errors'].first).to match(/semicolon/)
end
it "doesn't allow you to lock rows" do
q = make_query <<~SQL
SELECT id FROM posts FOR UPDATE
SQL
run_query q.id
expect(response.status).to eq(422)
expect(response_json['errors']).to_not eq([])
expect(response_json['success']).to eq(false)
expect(response_json['errors'].first).to match(/read-only transaction/)
end
it "doesn't allow you to create a table" do
q = make_query <<~SQL
CREATE TABLE mytable (id serial)
SQL
run_query q.id
expect(response.status).to eq(422)
expect(response_json['errors']).to_not eq([])
expect(response_json['success']).to eq(false)
expect(response_json['errors'].first).to match(/read-only transaction|syntax error/)
end
it "doesn't allow you to break the transaction" do
q = make_query <<~SQL
COMMIT
SQL
run_query q.id
expect(response.status).to eq(422)
expect(response_json['errors']).to_not eq([])
expect(response_json['success']).to eq(false)
expect(response_json['errors'].first).to match(/syntax error/)
q.sql = <<~SQL
)
SQL
run_query q.id
expect(response.status).to eq(422)
expect(response_json['errors']).to_not eq([])
expect(response_json['success']).to eq(false)
expect(response_json['errors'].first).to match(/syntax error/)
q.sql = <<~SQL
RELEASE SAVEPOINT active_record_1
SQL
run_query q.id
expect(response.status).to eq(422)
expect(response_json['errors']).to_not eq([])
expect(response_json['success']).to eq(false)
expect(response_json['errors'].first).to match(/syntax error/)
end
it "can export data in CSV format" do
q = make_query('SELECT 23 as my_value')
post :run, params: { id: q.id, download: 1 }, format: :csv
expect(response.status).to eq(200)
end
context "`limit` parameter" do
before do
create_post
create_post
create_post
end
it "should limit the results in JSON response" do
begin
original_const = DataExplorer::QUERY_RESULT_DEFAULT_LIMIT
DataExplorer.send(:remove_const, "QUERY_RESULT_DEFAULT_LIMIT")
DataExplorer.const_set("QUERY_RESULT_DEFAULT_LIMIT", 2)
q = make_query <<~SQL
SELECT id FROM posts
SQL
run_query q.id
expect(response_json['rows'].count).to eq(2)
post :run, params: { id: q.id, limit: 1 }, format: :json
expect(response_json['rows'].count).to eq(1)
post :run, params: { id: q.id, limit: "ALL" }, format: :json
expect(response_json['rows'].count).to eq(3)
ensure
DataExplorer.send(:remove_const, "QUERY_RESULT_DEFAULT_LIMIT")
DataExplorer.const_set("QUERY_RESULT_DEFAULT_LIMIT", original_const)
end
end
it "should limit the results in CSV download" do
begin
original_const = DataExplorer::QUERY_RESULT_MAX_LIMIT
DataExplorer.send(:remove_const, "QUERY_RESULT_MAX_LIMIT")
DataExplorer.const_set("QUERY_RESULT_MAX_LIMIT", 2)
ids = Post.order(:id).pluck(:id)
q = make_query <<~SQL
SELECT id FROM posts
SQL
post :run, params: { id: q.id, download: 1 }, format: :csv
expect(response.body.split("\n").count).to eq(3)
post :run, params: { id: q.id, download: 1, limit: 1 }, format: :csv
expect(response.body.split("\n").count).to eq(2)
# The value `ALL` is not supported in csv exports.
post :run, params: { id: q.id, download: 1, limit: "ALL" }, format: :csv
expect(response.body.split("\n").count).to eq(1)
ensure
DataExplorer.send(:remove_const, "QUERY_RESULT_MAX_LIMIT")
DataExplorer.const_set("QUERY_RESULT_MAX_LIMIT", original_const)
end
end
end
2015-07-15 16:20:42 -04:00
end
end
describe "Non-Admin" do
routes { Discourse::Application.routes }
2015-07-15 16:20:42 -04:00
let(:user) { Fabricate(:user) }
let(:group) { Fabricate(:group, users: [user]) }
2019-09-11 10:52:06 -04:00
before do
log_in_user(user)
2015-07-15 16:20:42 -04:00
end
describe "when disabled" do
before do
SiteSetting.data_explorer_enabled = false
end
2015-07-15 16:20:42 -04:00
it 'denies every request' do
get :group_reports_index, params: { group_name: 1 }, format: :json
expect(response.status).to eq(404)
get :group_reports_show, params: { group_name: 1, id: 1 }, format: :json
expect(response.status).to eq(404)
2015-07-15 16:20:42 -04:00
post :group_reports_run, params: { group_name: 1, id: 1 }, format: :json
expect(response.status).to eq(404)
end
2015-07-15 16:20:42 -04:00
end
describe "#group_reports_index" do
2015-07-15 16:20:42 -04:00
2019-09-11 10:52:06 -04:00
it "only returns queries that the group has access to" do
group.add(user)
make_query('SELECT 1 as value', { name: 'A' }, ["#{group.id}"])
get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(200)
expect(response_json['queries'].length).to eq(1)
expect(response_json['queries'][0]['name']).to eq('A')
2019-09-11 10:52:06 -04:00
end
it "returns a 404 when the user should not have access to the query " do
other_user = Fabricate(:user)
log_in_user(other_user)
get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(404)
end
2015-07-15 16:20:42 -04:00
it "return a 200 when the user has access the the query" do
group.add(user)
2017-09-04 02:07:22 -04:00
get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(200)
end
it "does not return hidden queries" do
group.add(user)
make_query('SELECT 1 as value', { name: 'A', hidden: true }, ["#{group.id}"])
make_query('SELECT 1 as value', { name: 'B' }, ["#{group.id}"])
get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(200)
expect(response_json['queries'].length).to eq(1)
expect(response_json['queries'][0]['name']).to eq('B')
end
2015-07-15 16:20:42 -04:00
end
describe "#group_reports_run" do
it "calls run on QueryController" do
2019-09-11 10:52:06 -04:00
query = make_query('SELECT 1 as value', { name: 'B' }, ["#{group.id}"])
controller.expects(:run).at_least_once
2019-09-11 10:52:06 -04:00
get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
end
it "returns a 404 when the user should not have access to the query " do
group.add(user)
query = make_query('SELECT 1 as value', {}, [])
get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(404)
end
it "return a 200 when the user has access the the query" do
group.add(user)
query = make_query('SELECT 1 as value', {}, [group.id.to_s])
get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(200)
end
it "return a 404 when the query is hidden" do
group.add(user)
query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(404)
end
2015-07-15 16:20:42 -04:00
end
describe "#group_reports_show" do
let(:group) { Fabricate(:group) }
it "returns a 404 when the user should not have access to the query " do
user = Fabricate(:user)
log_in_user(user)
group.add(user)
query = make_query('SELECT 1 as value', {}, [])
get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(404)
end
it "return a 200 when the user has access the the query" do
user = Fabricate(:user)
log_in_user(user)
group.add(user)
query = make_query('SELECT 1 as value', {}, [group.id.to_s])
get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(200)
end
it "return a 404 when the query is hidden" do
user = Fabricate(:user)
log_in_user(user)
group.add(user)
query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(404)
end
end
2015-07-15 16:20:42 -04:00
end
end