discourse-data-explorer/spec/requests/query_controller_spec.rb

562 lines
18 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
require "rails_helper"
2015-07-15 16:20:42 -04:00
describe DiscourseDataExplorer::QueryController do
2015-07-15 16:20:42 -04:00
def response_json
2022-02-01 15:38:24 -05:00
response.parsed_body
2015-07-15 16:20:42 -04:00
end
before { SiteSetting.data_explorer_enabled = true }
2015-07-15 16:20:42 -04:00
def make_query(sql, opts = {}, group_ids = [])
query =
DiscourseDataExplorer::Query.create!(
name: opts[:name] || "Query number",
description: "A description for query number",
sql: sql,
hidden: opts[:hidden] || false,
)
group_ids.each { |group_id| query.query_groups.create!(group_id: group_id) }
query
2015-07-15 16:20:42 -04:00
end
describe "Admin" do
2024-02-29 12:15:57 -05:00
fab!(:admin)
2016-08-19 04:46:03 -04:00
before { sign_in(admin) }
2016-08-19 04:46:03 -04:00
describe "when disabled" do
before { SiteSetting.data_explorer_enabled = false }
2016-08-19 04:46:03 -04:00
it "denies every request" do
2022-01-20 23:15:23 -05:00
get "/admin/plugins/explorer/queries.json"
expect(response.status).to eq(404)
2016-08-19 04:46:03 -04:00
2022-01-20 23:15:23 -05:00
get "/admin/plugins/explorer/schema.json"
expect(response.status).to eq(404)
2016-08-19 04:46:03 -04:00
2022-01-20 23:15:23 -05:00
get "/admin/plugins/explorer/queries/3.json"
expect(response.status).to eq(404)
2016-08-19 04:46:03 -04:00
post "/admin/plugins/explorer/queries.json", params: { id: 3 }
expect(response.status).to eq(404)
2016-08-19 04:46:03 -04:00
2022-01-20 23:15:23 -05:00
post "/admin/plugins/explorer/queries/3/run.json"
expect(response.status).to eq(404)
2015-07-15 16:20:42 -04:00
2022-01-20 23:15:23 -05:00
put "/admin/plugins/explorer/queries/3.json"
expect(response.status).to eq(404)
2022-01-20 23:15:23 -05:00
delete "/admin/plugins/explorer/queries/3.json"
expect(response.status).to eq(404)
end
end
describe "#index" do
it "behaves nicely with no user created queries" do
DiscourseDataExplorer::Query.destroy_all
2022-01-20 23:15:23 -05:00
get "/admin/plugins/explorer/queries.json"
expect(response.status).to eq(200)
expect(response_json["queries"].count).to eq(DiscourseDataExplorer::Queries.default.count)
end
it "shows all available queries in alphabetical order" do
DiscourseDataExplorer::Query.destroy_all
make_query("SELECT 1 as value", name: "B")
make_query("SELECT 1 as value", name: "A")
2022-01-20 23:15:23 -05:00
get "/admin/plugins/explorer/queries.json"
expect(response.status).to eq(200)
expect(response_json["queries"].length).to eq(
DiscourseDataExplorer::Queries.default.count + 2,
)
expect(response_json["queries"][0]["name"]).to eq("A")
expect(response_json["queries"][1]["name"]).to eq("B")
end
FEATURE: Add ability to soft delete (hide) queries and revert deletion with rake tasks (#54) * FEATURE: Add hide button (toggleable) for all queries (frontend only) * Switches between hide/unhide on click * Works almost like the delete button, but toggles between the query's hidden attribute instead * So far this is only a frontend feature, the backend implementation still needs work * Revert "FEATURE: Add hide button (toggleable) for all queries (frontend only)" This reverts commit a8771d2ad57083a91b7130df807fa54c26205d11. REVERT: Remove button that hides queries (frontend) * Prepare for migration of old frontend logic to backend * We are going to reuse the existing delete button, but change its backend logic to enable soft deletion. From the user's perspective nothing will change, but any deletion mistakes can be reverted. * DEV: Hide user queries upon deletion, but keep them in store * Creating a new query will set its hidden attribute to false by default * Deleting a user-made query will not delete it from the store, but set its hidden attribute to true * User queries will not be indexed if they are hidden * Undeleting a query will unhide it, and will be indexed * Updating a hidden query will unhide it, and will be indexed * SPEC: Add spec for hidden/deleted queries * Hidden queries should not be shown * FEATURE: Add ability to delete/hide system queries * System queries are now able to be deleted from view, but will remain in the backend for retrieval, if necessary * FEATURE/DEV: Add rake commands for query soft deletion * query:list_hidden - Shows a list of hidden queries * query:hide_all[only_default] - Hides all queries, w/ boolean arg to hide only default ones * query:unhide[id] - Unhides a query by id * query:unhide_all[exclude_default] - Unhides all hidden queries, w/ boolean arg to exclude default ones * Remove rails loggers * UX/DEV: Update query rake tasks to be more user friendly * Split query:hide_all[only_default] into two tasks: * query:hide_all - Hides all queries * query:hide_all:only_default - Hide only default queries * Split query:unhide_all[exclude_default] into two tasks: * query:unhide_all - Unhides all hidden queries * query:unhide_all:exclude_default - Unhides all non-default queries * Rename file to match task name * UX: query:unhide can accept multiple arguments * Example: rake query:unhide[-5,-6,-7,3,5,6,-13,-14,-10] * UX: Update query rake tasks to output cleaner messages * Remove unneeded comment * DEV: Keep only necessary rake tasks, use more specific naming * UX/DEV: Add rake task for hard deletion, better console logs * User is able to hard delete a query only if it is hidden, otherwise output a message stating so * Add commented examples above each task * Add rainbow support for more readable console logs * Successful messages will display green, failures display red, additional info displays yellow * Separate multiple queries with spaces instead of lines * DEV: Remove rainbow colorizing in console logs * Rainbow is a dependency of rubocop and it may go away in the future * Rainbow is only used for dev and test environments * DEV: Add Rails engine to enable rake tasks to be loaded at runtime * DEV: Favor require - load files only if they are not already loaded * SPEC: Add tests for data_explorer[id] rake command * Test if a single query is hidden correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element * Expect that one element to have the same ID as the one invoked to be hidden * Test if multiple queries are hidden correctly * Expect length of query list to not be modified * Expect array of hidden queries to have the number of elements equal to the number invoked to be hidden * Expect the elements to have the same ID as the ones invoked to be hidden * Test if a query exists in PluginStore * Expect query list to be empty * DEV: Clear pre-existing tasks before redefining * This prevents double invocation when user invokes the task once * SPEC: Add tests for unhide_query rake task * Test if a single query unhides correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element after unhiding 1 of 2 queries * Expect remaining element to be hidden * Test if multiple queries unhide correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element after unhiding 3 of 4 queries * Expect remaining element to be hidden * Test if a query exists in PluginStore * Expect query list to not be modified * SPEC: Add tests for hard_delete rake task * Test if a single query hard deletes correctly * Expect length of query list to be shorter by 1 * Expect array of hidden queries to have exactly 1 element after hard deleting 1 of 2 queries * Expect 1 remaining hidden element * Test if multiple queries hard delete correctly * Expect length of query list to be shorter by 3 after hard deleting 3 of 4 queries * Expect array of hidden queries to have exactly 1 element after hard deleting 3 of 4 queries * Expect 1 remaining hidden element * Test if a query exists in PluginStore * Expect hidden query list to not be modified * Test if a query is not hidden * Expect query list to not be modified * UX: Favor newline char in place of puts for logs * Condensed console logs to output newline char instead of another puts statement (reduces number of lines used significantly)
2020-07-29 02:50:24 -04:00
it "doesn't show hidden/deleted queries" do
DiscourseDataExplorer::Query.destroy_all
make_query("SELECT 1 as value", name: "A", hidden: false)
make_query("SELECT 1 as value", name: "B", hidden: true)
make_query("SELECT 1 as value", name: "C", hidden: true)
2022-01-20 23:15:23 -05:00
get "/admin/plugins/explorer/queries.json"
FEATURE: Add ability to soft delete (hide) queries and revert deletion with rake tasks (#54) * FEATURE: Add hide button (toggleable) for all queries (frontend only) * Switches between hide/unhide on click * Works almost like the delete button, but toggles between the query's hidden attribute instead * So far this is only a frontend feature, the backend implementation still needs work * Revert "FEATURE: Add hide button (toggleable) for all queries (frontend only)" This reverts commit a8771d2ad57083a91b7130df807fa54c26205d11. REVERT: Remove button that hides queries (frontend) * Prepare for migration of old frontend logic to backend * We are going to reuse the existing delete button, but change its backend logic to enable soft deletion. From the user's perspective nothing will change, but any deletion mistakes can be reverted. * DEV: Hide user queries upon deletion, but keep them in store * Creating a new query will set its hidden attribute to false by default * Deleting a user-made query will not delete it from the store, but set its hidden attribute to true * User queries will not be indexed if they are hidden * Undeleting a query will unhide it, and will be indexed * Updating a hidden query will unhide it, and will be indexed * SPEC: Add spec for hidden/deleted queries * Hidden queries should not be shown * FEATURE: Add ability to delete/hide system queries * System queries are now able to be deleted from view, but will remain in the backend for retrieval, if necessary * FEATURE/DEV: Add rake commands for query soft deletion * query:list_hidden - Shows a list of hidden queries * query:hide_all[only_default] - Hides all queries, w/ boolean arg to hide only default ones * query:unhide[id] - Unhides a query by id * query:unhide_all[exclude_default] - Unhides all hidden queries, w/ boolean arg to exclude default ones * Remove rails loggers * UX/DEV: Update query rake tasks to be more user friendly * Split query:hide_all[only_default] into two tasks: * query:hide_all - Hides all queries * query:hide_all:only_default - Hide only default queries * Split query:unhide_all[exclude_default] into two tasks: * query:unhide_all - Unhides all hidden queries * query:unhide_all:exclude_default - Unhides all non-default queries * Rename file to match task name * UX: query:unhide can accept multiple arguments * Example: rake query:unhide[-5,-6,-7,3,5,6,-13,-14,-10] * UX: Update query rake tasks to output cleaner messages * Remove unneeded comment * DEV: Keep only necessary rake tasks, use more specific naming * UX/DEV: Add rake task for hard deletion, better console logs * User is able to hard delete a query only if it is hidden, otherwise output a message stating so * Add commented examples above each task * Add rainbow support for more readable console logs * Successful messages will display green, failures display red, additional info displays yellow * Separate multiple queries with spaces instead of lines * DEV: Remove rainbow colorizing in console logs * Rainbow is a dependency of rubocop and it may go away in the future * Rainbow is only used for dev and test environments * DEV: Add Rails engine to enable rake tasks to be loaded at runtime * DEV: Favor require - load files only if they are not already loaded * SPEC: Add tests for data_explorer[id] rake command * Test if a single query is hidden correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element * Expect that one element to have the same ID as the one invoked to be hidden * Test if multiple queries are hidden correctly * Expect length of query list to not be modified * Expect array of hidden queries to have the number of elements equal to the number invoked to be hidden * Expect the elements to have the same ID as the ones invoked to be hidden * Test if a query exists in PluginStore * Expect query list to be empty * DEV: Clear pre-existing tasks before redefining * This prevents double invocation when user invokes the task once * SPEC: Add tests for unhide_query rake task * Test if a single query unhides correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element after unhiding 1 of 2 queries * Expect remaining element to be hidden * Test if multiple queries unhide correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element after unhiding 3 of 4 queries * Expect remaining element to be hidden * Test if a query exists in PluginStore * Expect query list to not be modified * SPEC: Add tests for hard_delete rake task * Test if a single query hard deletes correctly * Expect length of query list to be shorter by 1 * Expect array of hidden queries to have exactly 1 element after hard deleting 1 of 2 queries * Expect 1 remaining hidden element * Test if multiple queries hard delete correctly * Expect length of query list to be shorter by 3 after hard deleting 3 of 4 queries * Expect array of hidden queries to have exactly 1 element after hard deleting 3 of 4 queries * Expect 1 remaining hidden element * Test if a query exists in PluginStore * Expect hidden query list to not be modified * Test if a query is not hidden * Expect query list to not be modified * UX: Favor newline char in place of puts for logs * Condensed console logs to output newline char instead of another puts statement (reduces number of lines used significantly)
2020-07-29 02:50:24 -04:00
expect(response.status).to eq(200)
expect(response_json["queries"].length).to eq(
DiscourseDataExplorer::Queries.default.count + 1,
)
FEATURE: Add ability to soft delete (hide) queries and revert deletion with rake tasks (#54) * FEATURE: Add hide button (toggleable) for all queries (frontend only) * Switches between hide/unhide on click * Works almost like the delete button, but toggles between the query's hidden attribute instead * So far this is only a frontend feature, the backend implementation still needs work * Revert "FEATURE: Add hide button (toggleable) for all queries (frontend only)" This reverts commit a8771d2ad57083a91b7130df807fa54c26205d11. REVERT: Remove button that hides queries (frontend) * Prepare for migration of old frontend logic to backend * We are going to reuse the existing delete button, but change its backend logic to enable soft deletion. From the user's perspective nothing will change, but any deletion mistakes can be reverted. * DEV: Hide user queries upon deletion, but keep them in store * Creating a new query will set its hidden attribute to false by default * Deleting a user-made query will not delete it from the store, but set its hidden attribute to true * User queries will not be indexed if they are hidden * Undeleting a query will unhide it, and will be indexed * Updating a hidden query will unhide it, and will be indexed * SPEC: Add spec for hidden/deleted queries * Hidden queries should not be shown * FEATURE: Add ability to delete/hide system queries * System queries are now able to be deleted from view, but will remain in the backend for retrieval, if necessary * FEATURE/DEV: Add rake commands for query soft deletion * query:list_hidden - Shows a list of hidden queries * query:hide_all[only_default] - Hides all queries, w/ boolean arg to hide only default ones * query:unhide[id] - Unhides a query by id * query:unhide_all[exclude_default] - Unhides all hidden queries, w/ boolean arg to exclude default ones * Remove rails loggers * UX/DEV: Update query rake tasks to be more user friendly * Split query:hide_all[only_default] into two tasks: * query:hide_all - Hides all queries * query:hide_all:only_default - Hide only default queries * Split query:unhide_all[exclude_default] into two tasks: * query:unhide_all - Unhides all hidden queries * query:unhide_all:exclude_default - Unhides all non-default queries * Rename file to match task name * UX: query:unhide can accept multiple arguments * Example: rake query:unhide[-5,-6,-7,3,5,6,-13,-14,-10] * UX: Update query rake tasks to output cleaner messages * Remove unneeded comment * DEV: Keep only necessary rake tasks, use more specific naming * UX/DEV: Add rake task for hard deletion, better console logs * User is able to hard delete a query only if it is hidden, otherwise output a message stating so * Add commented examples above each task * Add rainbow support for more readable console logs * Successful messages will display green, failures display red, additional info displays yellow * Separate multiple queries with spaces instead of lines * DEV: Remove rainbow colorizing in console logs * Rainbow is a dependency of rubocop and it may go away in the future * Rainbow is only used for dev and test environments * DEV: Add Rails engine to enable rake tasks to be loaded at runtime * DEV: Favor require - load files only if they are not already loaded * SPEC: Add tests for data_explorer[id] rake command * Test if a single query is hidden correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element * Expect that one element to have the same ID as the one invoked to be hidden * Test if multiple queries are hidden correctly * Expect length of query list to not be modified * Expect array of hidden queries to have the number of elements equal to the number invoked to be hidden * Expect the elements to have the same ID as the ones invoked to be hidden * Test if a query exists in PluginStore * Expect query list to be empty * DEV: Clear pre-existing tasks before redefining * This prevents double invocation when user invokes the task once * SPEC: Add tests for unhide_query rake task * Test if a single query unhides correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element after unhiding 1 of 2 queries * Expect remaining element to be hidden * Test if multiple queries unhide correctly * Expect length of query list to not be modified * Expect array of hidden queries to have exactly 1 element after unhiding 3 of 4 queries * Expect remaining element to be hidden * Test if a query exists in PluginStore * Expect query list to not be modified * SPEC: Add tests for hard_delete rake task * Test if a single query hard deletes correctly * Expect length of query list to be shorter by 1 * Expect array of hidden queries to have exactly 1 element after hard deleting 1 of 2 queries * Expect 1 remaining hidden element * Test if multiple queries hard delete correctly * Expect length of query list to be shorter by 3 after hard deleting 3 of 4 queries * Expect array of hidden queries to have exactly 1 element after hard deleting 3 of 4 queries * Expect 1 remaining hidden element * Test if a query exists in PluginStore * Expect hidden query list to not be modified * Test if a query is not hidden * Expect query list to not be modified * UX: Favor newline char in place of puts for logs * Condensed console logs to output newline char instead of another puts statement (reduces number of lines used significantly)
2020-07-29 02:50:24 -04:00
end
2015-07-15 16:20:42 -04:00
end
describe "#update" do
fab!(:user2) { Fabricate(:user) }
fab!(:group2) { Fabricate(:group, users: [user2]) }
it "allows group to access system query" do
query = DiscourseDataExplorer::Query.find(-4)
put "/admin/plugins/explorer/queries/#{query.id}.json",
params: {
"query" => {
"name" => query.name,
"description" => query.description,
"sql" => query.sql,
"user_id" => query.user_id,
"created_at" => query.created_at,
"group_ids" => [group2.id],
"last_run_at" => query.last_run_at,
},
"id" => query.id,
}
expect(response.status).to eq(200)
end
it "returns a proper json error for invalid updates" do
query = DiscourseDataExplorer::Query.find(-4)
put "/admin/plugins/explorer/queries/#{query.id}",
params: {
"query" => {
"name" => "",
},
"id" => query.id,
}
expect(response.status).to eq(422)
expect(response.parsed_body["errors"]).to eq(["Name can't be blank"])
end
end
describe "#run" do
def run_query(id, params = {})
params = Hash[params.map { |a| [a[0], a[1].to_s] }]
2022-01-20 23:15:23 -05:00
post "/admin/plugins/explorer/queries/#{id}/run.json", params: { params: params.to_json }
end
2022-01-20 23:15:23 -05:00
it "can run queries" do
query = make_query("SELECT 23 as my_value")
run_query query.id
expect(response.status).to eq(200)
expect(response_json["success"]).to eq(true)
expect(response_json["errors"]).to eq([])
expect(response_json["columns"]).to eq(["my_value"])
expect(response_json["rows"]).to eq([[23]])
end
it "can process parameters" do
query = make_query <<~SQL
-- [params]
-- int :foo = 34
SELECT :foo as my_value
SQL
run_query query.id, foo: 23
expect(response.status).to eq(200)
expect(response_json["errors"]).to eq([])
expect(response_json["success"]).to eq(true)
expect(response_json["columns"]).to eq(["my_value"])
expect(response_json["rows"]).to eq([[23]])
run_query query.id
expect(response.status).to eq(200)
expect(response_json["errors"]).to eq([])
expect(response_json["success"]).to eq(true)
expect(response_json["columns"]).to eq(["my_value"])
expect(response_json["rows"]).to eq([[34]])
# 2.3 is not an integer
run_query query.id, foo: "2.3"
expect(response.status).to eq(422)
expect(response_json["errors"]).to_not eq([])
expect(response_json["success"]).to eq(false)
expect(response_json["errors"].first).to match(/ValidationError/)
end
context "when rate limited" do
def unlimited_request(query_id, headers = {})
post "/admin/plugins/explorer/queries/#{query_id}/run.json",
params: {
params: {}.to_json,
},
headers: headers
expect(response.status).to eq(200)
end
def limited_request(query_id, headers = {})
post "/admin/plugins/explorer/queries/#{query_id}/run.json",
params: {
params: {}.to_json,
},
headers: headers
expect(response.status).to eq(429)
expect(response.parsed_body["extras"]).to eq(
{ "wait_seconds" => 9, "time_left" => "9 seconds" },
)
end
before { RateLimiter.enable }
it "limits query runs from API when using block mode" do
global_setting :max_data_explorer_api_reqs_per_10_seconds, 1
global_setting :max_data_explorer_api_req_mode, "block"
admin = Fabricate(:admin)
api_key = Fabricate(:api_key, user: admin)
query = make_query("SELECT 23 as my_value")
headers = { HTTP_API_KEY: api_key.key, HTTP_API_USERNAME: admin.username }
now = Time.now
freeze_time(now)
unlimited_request(query.id, headers)
freeze_time(now + 1.second)
limited_request(query.id, headers)
freeze_time(now + 10.seconds)
unlimited_request(query.id, headers)
end
it "does not limit query runs from API when using warn mode" do
global_setting :max_data_explorer_api_reqs_per_10_seconds, 1
global_setting :max_data_explorer_api_req_mode, "warn"
admin = Fabricate(:admin)
api_key = Fabricate(:api_key, user: admin)
query = make_query("SELECT 23 as my_value")
headers = { HTTP_API_KEY: api_key.key, HTTP_API_USERNAME: admin.username }
freeze_time
unlimited_request(query.id, headers)
Discourse.expects(:warn).once
unlimited_request(query.id, headers)
end
it "does not limit query runs from UI" do
global_setting :max_data_explorer_api_reqs_per_10_seconds, 1
global_setting :max_data_explorer_api_req_mode, "block"
query = make_query("SELECT 23 as my_value")
freeze_time
unlimited_request(query.id)
unlimited_request(query.id)
end
end
it "doesn't allow you to modify the database #1" do
p = create_post
query = make_query <<~SQL
UPDATE posts SET cooked = '<p>you may already be a winner!</p>' WHERE id = #{p.id}
RETURNING id
SQL
run_query query.id
p.reload
# Manual Test - comment out the following lines:
# DB.exec "SET TRANSACTION READ ONLY"
# raise ActiveRecord::Rollback
# This test should fail on the below check.
expect(p.cooked).to_not match(/winner/)
expect(response.status).to eq(422)
expect(response_json["errors"]).to_not eq([])
expect(response_json["success"]).to eq(false)
expect(response_json["errors"].first).to match(/read-only transaction/)
end
it "doesn't allow you to modify the database #2" do
p = create_post
query = make_query <<~SQL
SELECT 1
)
SELECT * FROM query;
RELEASE SAVEPOINT active_record_1;
SET TRANSACTION READ WRITE;
UPDATE posts SET cooked = '<p>you may already be a winner!</p>' WHERE id = #{p.id};
SAVEPOINT active_record_1;
SET TRANSACTION READ ONLY;
WITH query AS (
SELECT 1
SQL
run_query query.id
p.reload
# Manual Test - change out the following line:
#
# module ::DiscourseDataExplorer
# def self.run_query(...)
# if query.sql =~ /;/
#
# to
#
# if false && query.sql =~ /;/
#
# Afterwards, this test should fail on the below check.
expect(p.cooked).to_not match(/winner/)
expect(response.status).to eq(422)
expect(response_json["errors"]).to_not eq([])
expect(response_json["success"]).to eq(false)
expect(response_json["errors"].first).to match(/semicolon/)
end
it "doesn't allow you to lock rows" do
query = make_query <<~SQL
SELECT id FROM posts FOR UPDATE
SQL
run_query query.id
expect(response.status).to eq(422)
expect(response_json["errors"]).to_not eq([])
expect(response_json["success"]).to eq(false)
expect(response_json["errors"].first).to match(/read-only transaction/)
end
it "doesn't allow you to create a table" do
query = make_query <<~SQL
CREATE TABLE mytable (id serial)
SQL
run_query query.id
expect(response.status).to eq(422)
expect(response_json["errors"]).to_not eq([])
expect(response_json["success"]).to eq(false)
expect(response_json["errors"].first).to match(/read-only transaction|syntax error/)
end
it "doesn't allow you to break the transaction" do
query = make_query <<~SQL
COMMIT
SQL
run_query query.id
expect(response.status).to eq(422)
expect(response_json["errors"]).to_not eq([])
expect(response_json["success"]).to eq(false)
expect(response_json["errors"].first).to match(/syntax error/)
query.sql = <<~SQL
)
SQL
run_query query.id
expect(response.status).to eq(422)
expect(response_json["errors"]).to_not eq([])
expect(response_json["success"]).to eq(false)
expect(response_json["errors"].first).to match(/syntax error/)
query.sql = <<~SQL
RELEASE SAVEPOINT active_record_1
SQL
run_query query.id
expect(response.status).to eq(422)
expect(response_json["errors"]).to_not eq([])
expect(response_json["success"]).to eq(false)
expect(response_json["errors"].first).to match(/syntax error/)
end
it "can export data in CSV format" do
query = make_query("SELECT 23 as my_value")
2022-01-20 23:15:23 -05:00
post "/admin/plugins/explorer/queries/#{query.id}/run.json", params: { download: 1 }
expect(response.status).to eq(200)
end
context "with the `limit` parameter" do
before do
create_post
create_post
create_post
end
it "should limit the results in JSON response" do
SiteSetting.data_explorer_query_result_limit = 2
query = make_query <<~SQL
SELECT id FROM posts
SQL
run_query query.id
expect(response_json["rows"].count).to eq(2)
2022-01-20 23:15:23 -05:00
post "/admin/plugins/explorer/queries/#{query.id}/run.json", params: { limit: 1 }
expect(response_json["rows"].count).to eq(1)
2022-01-20 23:15:23 -05:00
post "/admin/plugins/explorer/queries/#{query.id}/run.json", params: { limit: "ALL" }
expect(response_json["rows"].count).to eq(3)
end
it "should limit the results in CSV download" do
begin
original_const = DiscourseDataExplorer::QUERY_RESULT_MAX_LIMIT
DiscourseDataExplorer.send(:remove_const, "QUERY_RESULT_MAX_LIMIT")
DiscourseDataExplorer.const_set("QUERY_RESULT_MAX_LIMIT", 2)
query = make_query <<~SQL
SELECT id FROM posts
SQL
2022-01-20 23:15:23 -05:00
post "/admin/plugins/explorer/queries/#{query.id}/run.csv", params: { download: 1 }
expect(response.body.split("\n").count).to eq(3)
post "/admin/plugins/explorer/queries/#{query.id}/run.csv",
params: {
download: 1,
limit: 1,
}
expect(response.body.split("\n").count).to eq(2)
# The value `ALL` is not supported in csv exports.
post "/admin/plugins/explorer/queries/#{query.id}/run.csv",
params: {
download: 1,
limit: "ALL",
}
expect(response.body.split("\n").count).to eq(1)
ensure
DiscourseDataExplorer.send(:remove_const, "QUERY_RESULT_MAX_LIMIT")
DiscourseDataExplorer.const_set("QUERY_RESULT_MAX_LIMIT", original_const)
end
end
end
2015-07-15 16:20:42 -04:00
end
end
describe "Non-Admin" do
2024-02-29 12:15:57 -05:00
fab!(:user)
2022-01-20 23:15:23 -05:00
fab!(:group) { Fabricate(:group, users: [user]) }
2019-09-11 10:52:06 -04:00
before { sign_in(user) }
2015-07-15 16:20:42 -04:00
describe "when disabled" do
before { SiteSetting.data_explorer_enabled = false }
2015-07-15 16:20:42 -04:00
it "denies every request" do
2022-01-20 23:15:23 -05:00
get "/g/1/reports.json"
expect(response.status).to eq(404)
2022-01-20 23:15:23 -05:00
get "/g/1/reports/1.json"
expect(response.status).to eq(404)
2015-07-15 16:20:42 -04:00
2022-01-20 23:15:23 -05:00
post "/g/1/reports/1/run.json"
expect(response.status).to eq(404)
end
2015-07-15 16:20:42 -04:00
end
2022-01-20 23:15:23 -05:00
it "cannot access admin endpoints" do
query = make_query("SELECT 1 as value")
2022-01-20 23:15:23 -05:00
post "/admin/plugins/explorer/queries/#{query.id}/run.json"
expect(response.status).to eq(403)
end
2015-07-15 16:20:42 -04:00
2022-01-20 23:15:23 -05:00
describe "#group_reports_index" do
2019-09-11 10:52:06 -04:00
it "only returns queries that the group has access to" do
group.add(user)
make_query("SELECT 1 as value", { name: "A" }, ["#{group.id}"])
2022-01-20 23:15:23 -05:00
get "/g/#{group.name}/reports.json"
expect(response.status).to eq(200)
expect(response_json["queries"].length).to eq(1)
expect(response_json["queries"][0]["name"]).to eq("A")
2019-09-11 10:52:06 -04:00
end
it "returns a 404 when the user should not have access to the query " do
other_user = Fabricate(:user)
2022-01-20 23:15:23 -05:00
sign_in(other_user)
2022-01-20 23:15:23 -05:00
get "/g/#{group.name}/reports.json"
expect(response.status).to eq(404)
end
2015-07-15 16:20:42 -04:00
it "return a 200 when the user has access the the query" do
group.add(user)
2017-09-04 02:07:22 -04:00
2022-01-20 23:15:23 -05:00
get "/g/#{group.name}/reports.json"
expect(response.status).to eq(200)
end
it "does not return hidden queries" do
group.add(user)
make_query("SELECT 1 as value", { name: "A", hidden: true }, ["#{group.id}"])
make_query("SELECT 1 as value", { name: "B" }, ["#{group.id}"])
2022-01-20 23:15:23 -05:00
get "/g/#{group.name}/reports.json"
expect(response.status).to eq(200)
expect(response_json["queries"].length).to eq(1)
expect(response_json["queries"][0]["name"]).to eq("B")
end
2015-07-15 16:20:42 -04:00
end
describe "#group_reports_run" do
2022-01-20 23:15:23 -05:00
it "runs the query" do
query = make_query("SELECT 1828 as value", { name: "B" }, ["#{group.id}"])
2022-01-20 23:15:23 -05:00
post "/g/#{group.name}/reports/#{query.id}/run.json"
expect(response.status).to eq(200)
expect(response.parsed_body["success"]).to eq(true)
expect(response.parsed_body["columns"]).to eq(["value"])
expect(response.parsed_body["rows"]).to eq([[1828]])
end
it "returns a 404 when the user should not have access to the query " do
group.add(user)
query = make_query("SELECT 1 as value", {}, [])
2022-01-20 23:15:23 -05:00
post "/g/#{group.name}/reports/#{query.id}/run.json"
expect(response.status).to eq(404)
end
it "return a 200 when the user has access the the query" do
group.add(user)
query = make_query("SELECT 1 as value", {}, [group.id.to_s])
2022-01-20 23:15:23 -05:00
post "/g/#{group.name}/reports/#{query.id}/run.json"
expect(response.status).to eq(200)
end
it "return a 404 when the query is hidden" do
group.add(user)
query = make_query("SELECT 1 as value", { hidden: true }, [group.id.to_s])
2022-01-20 23:15:23 -05:00
post "/g/#{group.name}/reports/#{query.id}/run.json"
expect(response.status).to eq(404)
end
2015-07-15 16:20:42 -04:00
end
describe "#group_reports_show" do
it "returns a 404 when the user should not have access to the query " do
query = make_query("SELECT 1 as value", {}, [])
2022-01-20 23:15:23 -05:00
get "/g/#{group.name}/reports/#{query.id}.json"
expect(response.status).to eq(404)
end
it "return a 200 when the user has access the the query" do
query = make_query("SELECT 1 as value", {}, [group.id.to_s])
2022-01-20 23:15:23 -05:00
get "/g/#{group.name}/reports/#{query.id}.json"
expect(response.status).to eq(200)
end
it "return a 404 when the query is hidden" do
query = make_query("SELECT 1 as value", { hidden: true }, [group.id.to_s])
2022-01-20 23:15:23 -05:00
get "/g/#{group.name}/reports/#{query.id}.json"
expect(response.status).to eq(404)
end
end
2015-07-15 16:20:42 -04:00
end
end