Discource-C
/
discourse-data-explorer
mirror of https://github.com/discourse/discourse-data-explorer.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Do not show hidden queries in group reports (#57)

This commit is contained in:
Mark VanLandingham 2020-08-10 15:12:06 -05:00 committed by GitHub
parent e7cc6310d7
commit 5bf875a1ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
plugin.rb
View File

@ -1080,15 +1080,16 @@ SQL
respond_to do |format| respond_to do |format|
format.html { render 'groups/show' } format.html { render 'groups/show' }
format.json do format.json do
queries = DataExplorer::Query.all queries = DataExplorer::Query.all.select do |query|
queries.select! { |query| query.group_ids&.include?(group.id.to_s) } !query.hidden && query.group_ids&.include?(group.id.to_s)
render_serialized queries, DataExplorer::QuerySerializer, root: 'queries' end
render_serialized(queries, DataExplorer::QuerySerializer, root: 'queries')
end end
end end
end end
def group_reports_show def group_reports_show
return raise Discourse::NotFound unless guardian.user_can_access_query?(group, query) return raise Discourse::NotFound if !guardian.user_can_access_query?(group, query) || query.hidden
respond_to do |format| respond_to do |format|
format.html { render 'groups/show' } format.html { render 'groups/show' }
@ -1100,7 +1101,7 @@ SQL
skip_before_action :check_xhr, only: [:group_reports_run] skip_before_action :check_xhr, only: [:group_reports_run]
def group_reports_run def group_reports_run
return raise Discourse::NotFound unless guardian.user_can_access_query?(group, query) return raise Discourse::NotFound if !guardian.user_can_access_query?(group, query) || query.hidden
run run
end end

40
spec/controllers/queries_controller_spec.rb
View File

@ -361,21 +361,31 @@ describe DataExplorer::QueryController do
end end
it "returns a 404 when the user should not have access to the query " do it "returns a 404 when the user should not have access to the query " do
user = Fabricate(:user) other_user = Fabricate(:user)
log_in_user(user) log_in_user(other_user)
get :group_reports_index, params: { group_name: group.name }, format: :json get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(404) expect(response.status).to eq(404)
end end
it "return a 200 when the user has access the the query" do it "return a 200 when the user has access the the query" do
user = Fabricate(:user)
log_in_user(user)
group.add(user) group.add(user)
get :group_reports_index, params: { group_name: group.name }, format: :json get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(200) expect(response.status).to eq(200)
end end
it "does not return hidden queries" do
group.add(user)
make_query('SELECT 1 as value', { name: 'A', hidden: true }, ["#{group.id}"])
make_query('SELECT 1 as value', { name: 'B' }, ["#{group.id}"])
get :group_reports_index, params: { group_name: group.name }, format: :json
expect(response.status).to eq(200)
expect(response_json['queries'].length).to eq(1)
expect(response_json['queries'][0]['name']).to eq('B')
end
end end
describe "#group_reports_run" do describe "#group_reports_run" do
@ -387,8 +397,6 @@ describe DataExplorer::QueryController do
end end
it "returns a 404 when the user should not have access to the query " do it "returns a 404 when the user should not have access to the query " do
user = Fabricate(:user)
log_in_user(user)
group.add(user) group.add(user)
query = make_query('SELECT 1 as value', {}, []) query = make_query('SELECT 1 as value', {}, [])
@ -397,14 +405,20 @@ describe DataExplorer::QueryController do
end end
it "return a 200 when the user has access the the query" do it "return a 200 when the user has access the the query" do
user = Fabricate(:user)
log_in_user(user)
group.add(user) group.add(user)
query = make_query('SELECT 1 as value', {}, [group.id.to_s]) query = make_query('SELECT 1 as value', {}, [group.id.to_s])
get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(200) expect(response.status).to eq(200)
end end
it "return a 404 when the query is hidden" do
group.add(user)
query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(404)
end
end end
describe "#group_reports_show" do describe "#group_reports_show" do
@ -429,6 +443,16 @@ describe DataExplorer::QueryController do
get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(200) expect(response.status).to eq(200)
end end
it "return a 404 when the query is hidden" do
user = Fabricate(:user)
log_in_user(user)
group.add(user)
query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
expect(response.status).to eq(404)
end
end end
end end
end end