FIX: Do not show hidden queries in group reports (#57)

2020-08-10 15:12:06 -05:00 · 2020-08-10 15:12:06 -05:00 · 5bf875a1ac
parent e7cc6310d7
commit 5bf875a1ac
2 changed files with 38 additions and 13 deletions
--- a/plugin.rb
+++ b/plugin.rb
@ -1080,15 +1080,16 @@ SQL
      respond_to do |format|
        format.html { render 'groups/show' }
        format.json do
-          queries = DataExplorer::Query.all
-          queries.select! { |query| query.group_ids&.include?(group.id.to_s) }
-          render_serialized queries, DataExplorer::QuerySerializer, root: 'queries'
+          queries = DataExplorer::Query.all.select do |query|
+            !query.hidden && query.group_ids&.include?(group.id.to_s)
+          end
+          render_serialized(queries, DataExplorer::QuerySerializer, root: 'queries')
        end
      end
    end

    def group_reports_show
-      return raise Discourse::NotFound unless guardian.user_can_access_query?(group, query)
+      return raise Discourse::NotFound if !guardian.user_can_access_query?(group, query) || query.hidden

      respond_to do |format|
        format.html { render 'groups/show' }
@ -1100,7 +1101,7 @@ SQL

    skip_before_action :check_xhr, only: [:group_reports_run]
    def group_reports_run
-      return raise Discourse::NotFound unless guardian.user_can_access_query?(group, query)
+      return raise Discourse::NotFound if !guardian.user_can_access_query?(group, query) || query.hidden

      run
    end
--- a/spec/controllers/queries_controller_spec.rb
+++ b/spec/controllers/queries_controller_spec.rb
@ -361,21 +361,31 @@ describe DataExplorer::QueryController do
      end

      it "returns a 404 when the user should not have access to the query " do
-        user = Fabricate(:user)
-        log_in_user(user)
+        other_user = Fabricate(:user)
+        log_in_user(other_user)

        get :group_reports_index, params: { group_name: group.name }, format: :json
        expect(response.status).to eq(404)
      end

      it "return a 200 when the user has access the the query" do
-        user = Fabricate(:user)
-        log_in_user(user)
        group.add(user)

        get :group_reports_index, params: { group_name: group.name }, format: :json
        expect(response.status).to eq(200)
      end
+
+      it "does not return hidden queries" do
+
+        group.add(user)
+        make_query('SELECT 1 as value', { name: 'A', hidden: true }, ["#{group.id}"])
+        make_query('SELECT 1 as value', { name: 'B' }, ["#{group.id}"])
+
+        get :group_reports_index, params: { group_name: group.name }, format: :json
+        expect(response.status).to eq(200)
+        expect(response_json['queries'].length).to eq(1)
+        expect(response_json['queries'][0]['name']).to eq('B')
+      end
    end

    describe "#group_reports_run" do
@ -387,8 +397,6 @@ describe DataExplorer::QueryController do
      end

      it "returns a 404 when the user should not have access to the query " do
-        user = Fabricate(:user)
-        log_in_user(user)
        group.add(user)
        query = make_query('SELECT 1 as value', {}, [])

@ -397,14 +405,20 @@ describe DataExplorer::QueryController do
      end

      it "return a 200 when the user has access the the query" do
-        user = Fabricate(:user)
-        log_in_user(user)
        group.add(user)
        query = make_query('SELECT 1 as value', {}, [group.id.to_s])

        get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
        expect(response.status).to eq(200)
      end
+
+      it "return a 404 when the query is hidden" do
+        group.add(user)
+        query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
+
+        get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
+        expect(response.status).to eq(404)
+      end
    end

    describe "#group_reports_show" do
@ -429,6 +443,16 @@ describe DataExplorer::QueryController do
        get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
        expect(response.status).to eq(200)
      end
+
+      it "return a 404 when the query is hidden" do
+        user = Fabricate(:user)
+        log_in_user(user)
+        group.add(user)
+        query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
+
+        get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
+        expect(response.status).to eq(404)
+      end
    end
  end
 end