FIX: Do not show hidden queries in group reports (#57)

This commit is contained in:
Mark VanLandingham 2020-08-10 15:12:06 -05:00 committed by GitHub
parent e7cc6310d7
commit 5bf875a1ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 13 deletions

View File

@ -1080,15 +1080,16 @@ SQL
respond_to do |format|
format.html { render 'groups/show' }
format.json do
queries = DataExplorer::Query.all
queries.select! { |query| query.group_ids&.include?(group.id.to_s) }
render_serialized queries, DataExplorer::QuerySerializer, root: 'queries'
queries = DataExplorer::Query.all.select do |query|
!query.hidden && query.group_ids&.include?(group.id.to_s)
end
render_serialized(queries, DataExplorer::QuerySerializer, root: 'queries')
end
end
end
def group_reports_show
return raise Discourse::NotFound unless guardian.user_can_access_query?(group, query)
return raise Discourse::NotFound if !guardian.user_can_access_query?(group, query) || query.hidden
respond_to do |format|
format.html { render 'groups/show' }
@ -1100,7 +1101,7 @@ SQL
skip_before_action :check_xhr, only: [:group_reports_run]
def group_reports_run
return raise Discourse::NotFound unless guardian.user_can_access_query?(group, query)
return raise Discourse::NotFound if !guardian.user_can_access_query?(group, query) || query.hidden
run
end

View File

@ -361,21 +361,31 @@ describe DataExplorer::QueryController do
end
it "returns a 404 when the user should not have access to the query " do
user = Fabricate(:user)
log_in_user(user)
other_user = Fabricate(:user)
log_in_user(other_user)
get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(404)
end
it "return a 200 when the user has access the the query" do
user = Fabricate(:user)
log_in_user(user)
group.add(user)
get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(200)
end
it "does not return hidden queries" do
group.add(user)
make_query('SELECT 1 as value', { name: 'A', hidden: true }, ["#{group.id}"])
make_query('SELECT 1 as value', { name: 'B' }, ["#{group.id}"])
get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(200)
expect(response_json['queries'].length).to eq(1)
expect(response_json['queries'][0]['name']).to eq('B')
end
end
describe "#group_reports_run" do
@ -387,8 +397,6 @@ describe DataExplorer::QueryController do
end
it "returns a 404 when the user should not have access to the query " do
user = Fabricate(:user)
log_in_user(user)
group.add(user)
query = make_query('SELECT 1 as value', {}, [])
@ -397,14 +405,20 @@ describe DataExplorer::QueryController do
end
it "return a 200 when the user has access the the query" do
user = Fabricate(:user)
log_in_user(user)
group.add(user)
query = make_query('SELECT 1 as value', {}, [group.id.to_s])
get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(200)
end
it "return a 404 when the query is hidden" do
group.add(user)
query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(404)
end
end
describe "#group_reports_show" do
@ -429,6 +443,16 @@ describe DataExplorer::QueryController do
get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(200)
end
it "return a 404 when the query is hidden" do
user = Fabricate(:user)
log_in_user(user)
group.add(user)
query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(404)
end
end
end
end