Nest query ACL to dropdowns (#3544)

* change API to /api/queries/:id/dropdowns/:dropdown_id * extract property * split to 2 different dropdown endpoints and implement the second * make access control optional for dropdowns (assuming it is verified at a different level) * add test cases for /api/queries/:id/dropdowns/:id * use new /dropdowns endpoint in frontend * require access to dropdown queries when creating or updating parent queries * rename Query resource dropdown endpoints * check access to dropdown query associations in one fugly query * move ParameterizedQuery to models folder * add dropdown association tests to query creation * move group by query ids query into models.Query * use bound parameters for groups query * format groups query * use new associatedDropdowns endpoint in dashboards * pass down parameter and let it return dropdown options. Go Levko! * change API to /api/queries/:id/dropdowns/:dropdown_id * split to 2 different dropdown endpoints and implement the second * use new /dropdowns endpoint in frontend * pass down parameter and let it return dropdown options. Go Levko! * fix bad rebase * add comment to clarify the purpose of checking the queryId
2025-12-25 01:03:20 -05:00 · 2019-03-20 09:16:10 +02:00
parent 15c815fb5e
commit c47dd05095
12 changed files with 254 additions and 33 deletions
--- a/tests/handlers/test_query_results.py
+++ b/tests/handlers/test_query_results.py
@@ -193,6 +193,50 @@ class TestQueryResultDropdownResource(BaseTestCase):

        self.assertEquals(rv.status_code, 403)

+class TestQueryDropdownsResource(BaseTestCase):
+    def test_prevents_access_if_query_isnt_associated_with_parent(self):
+        query = self.factory.create_query()
+        unrelated_dropdown_query = self.factory.create_query()
+
+        rv = self.make_request('get', '/api/queries/{}/dropdowns/{}'.format(query.id, unrelated_dropdown_query.id))
+
+        self.assertEquals(rv.status_code, 403)
+
+    def test_allows_access_if_user_has_access_to_parent_query(self):
+        query_result = self.factory.create_query_result()
+        data = {
+            'rows': [],
+            'columns': [{'name': 'whatever'}]
+        }
+        query_result = self.factory.create_query_result(data=json_dumps(data))
+        dropdown_query = self.factory.create_query(latest_query_data=query_result)
+
+        options = {
+                'parameters': [{
+                'type': 'query',
+                'queryId': dropdown_query.id
+            }]
+        }
+        query = self.factory.create_query(options=options)
+
+        rv = self.make_request('get', '/api/queries/{}/dropdowns/{}'.format(query.id, dropdown_query.id))
+
+        self.assertEquals(rv.status_code, 200)
+
+    def test_prevents_access_if_user_doesnt_have_access_to_parent_query(self):
+        related_dropdown_query = self.factory.create_query()
+        unrelated_dropdown_query = self.factory.create_query()
+        options = {
+                'parameters': [{
+                'type': 'query',
+                'queryId': related_dropdown_query.id
+            }]
+        }
+        query = self.factory.create_query(options=options)
+
+        rv = self.make_request('get', '/api/queries/{}/dropdowns/{}'.format(query.id, unrelated_dropdown_query.id))
+
+        self.assertEquals(rv.status_code, 403)

 class TestQueryResultExcelResponse(BaseTestCase):
    def test_renders_excel_file(self):