Make sure user has access to data source when loading query result

redash/handlers/query_results.py

@@ -11,7 +11,7 @@ import xlsxwriter
 from redash import models, settings, utils
 from redash.wsgi import api
 from redash.tasks import QueryTask, record_event
-from redash.permissions import require_permission, not_view_only, has_access
+from redash.permissions import require_permission, not_view_only, has_access, require_access, view_only
 from redash.handlers.base import BaseResource, get_object_or_404
 from redash.utils import collect_query_parameters, collect_parameters_from_request
 
@@ -108,6 +108,8 @@ class QueryResultAPI(BaseResource):
             query_result = get_object_or_404(models.QueryResult.get_by_id_and_org, query_result_id, self.current_org)
 
         if query_result:
+            require_access(query_result.data_source.groups, self.current_user, view_only)
+
             if isinstance(self.current_user, models.ApiUser):
                 event = {
                     'user_id': None,

tests/factories.py

@@ -174,11 +174,11 @@ class Factory(object):
         data_source = data_source_factory.create(**args)
 
         if 'group' in kwargs:
-            permissions = kwargs.pop('permissions', ['create', 'view'])
+            view_only = kwargs.pop('view_only', False)
 
             redash.models.DataSourceGroup.create(group=kwargs['group'],
                                                  data_source=data_source,
-                                                 permissions=permissions)
+                                                 view_only=view_only)
 
         return data_source
 

tests/handlers/test_query_results.py

@@ -17,7 +17,7 @@ class TestQueryResultsCacheHeaders(BaseTestCase):
         self.assertNotIn('Cache-Control', rv.headers)
 
 
-class QueryResultListAPITest(BaseTestCase):
+class TestQueryResultListAPI(BaseTestCase):
     def test_get_existing_result(self):
         query_result = self.factory.create_query_result()
         query = self.factory.create_query()
@@ -72,3 +72,26 @@ class QueryResultListAPITest(BaseTestCase):
 
         self.assertEquals(rv.status_code, 200)
         self.assertIn('job', rv.json)
+
+
+class TestQueryResultAPI(BaseTestCase):
+    def test_has_no_access_to_data_source(self):
+        ds = self.factory.create_data_source(group=self.factory.create_group())
+        query_result = self.factory.create_query_result(data_source=ds)
+
+        rv = self.make_request('get', '/api/query_results/{}'.format(query_result.id))
+        self.assertEquals(rv.status_code, 403)
+
+    def test_has_view_only_access_to_data_source(self):
+        ds = self.factory.create_data_source(group=self.factory.org.default_group, view_only=True)
+        query_result = self.factory.create_query_result(data_source=ds)
+
+        rv = self.make_request('get', '/api/query_results/{}'.format(query_result.id))
+        self.assertEquals(rv.status_code, 200)
+
+    def test_has_full_access_to_data_source(self):
+        ds = self.factory.create_data_source(group=self.factory.org.default_group, view_only=False)
+        query_result = self.factory.create_query_result(data_source=ds)
+
+        rv = self.make_request('get', '/api/query_results/{}'.format(query_result.id))
+        self.assertEquals(rv.status_code, 200)

tests/test_authentication.py

@@ -64,14 +64,6 @@ class TestApiKeyAuthentication(BaseTestCase):
             rv = c.get(self.query_url, headers={'Authorization': "Key {}".format(other_user.api_key)})
             self.assertEqual(404, rv.status_code)
 
-    def test_api_key_for_object(self):
-        api_key = self.factory.create_api_key()
-        path = '/{}/public/dashboards/{}'.format(self.factory.org.slug, api_key.api_key)
-
-        with app.test_client() as c:
-            rv = c.get(path, headers={'Authorization': "Key {}".format(api_key.api_key)})
-            self.assertEqual(200, rv.status_code)
-
 
 class TestHMACAuthentication(BaseTestCase):
     #

tests/test_handlers.py

@@ -4,7 +4,7 @@ from flask import url_for
 from flask_login import current_user
 from mock import patch
 from tests import BaseTestCase
-from tests.handlers import authenticated_user, json_request
+from tests.handlers import authenticated_user
 from redash import models, settings
 from redash.wsgi import app