Fix auth issue with POST /api/docs/query (#4593)

This commit is contained in:
Artur Pata 2024-09-18 18:46:05 +03:00 committed by GitHub
parent 82a15884ad
commit 59c7ce2ef1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 65 additions and 3 deletions

View File

@ -64,7 +64,11 @@ defmodule PlausibleWeb.Plugs.AuthorizeSiteAccess do
end
defp get_site_with_role(conn, current_user) do
domain = conn.path_params["domain"] || conn.path_params["website"]
# addition is flimsy, do we need an extra argument on plug init to control where we look for the domain?
domain =
conn.path_params["domain"] || conn.path_params["website"] ||
(conn.method == "POST" && conn.path_info == ["api", "docs", "query"] &&
conn.params["site_id"])
site_query =
from(

View File

@ -50,9 +50,7 @@ defmodule PlausibleWeb.Router do
plug :accepts, ["json"]
plug :fetch_session
plug PlausibleWeb.AuthPlug
plug PlausibleWeb.Plugs.AuthorizeSiteAccess, [:admin, :super_admin, :owner]
plug PlausibleWeb.Plugs.NoRobots
end

View File

@ -0,0 +1,60 @@
defmodule PlausibleWeb.Api.InternalController.DocsQueryTest do
use PlausibleWeb.ConnCase, async: true
use Plausible.Repo
@user_id Enum.random(1000..9999)
describe "POST /api/docs/query not logged in" do
setup [:create_user, :create_new_site]
test "rejects request when not logged in", %{conn: conn, site: site} do
populate_stats(site, [
build(:pageview, timestamp: ~N[2021-01-01 00:00:00])
])
conn =
post(conn, "/api/docs/query", %{
"site_id" => site.domain,
"metrics" => ["pageviews"],
"date_range" => "all"
})
assert json_response(conn, 404) == %{
"error" => "Site does not exist or user does not have sufficient access."
}
end
end
describe "POST /api/docs/query logged in" do
setup [:create_user, :create_new_site, :log_in]
test "rejects when accessing any other site", %{conn: conn} do
conn =
post(conn, "/api/docs/query", %{
"site_id" => "any.other.site",
"metrics" => ["pageviews"],
"date_range" => "all"
})
assert json_response(conn, 404) == %{
"error" => "Site does not exist or user does not have sufficient access."
}
end
test "returns aggregated metrics", %{conn: conn, site: site} do
populate_stats(site, [
build(:pageview, user_id: @user_id, timestamp: ~N[2021-01-01 00:00:00]),
build(:pageview, user_id: @user_id, timestamp: ~N[2021-01-01 00:25:00]),
build(:pageview, timestamp: ~N[2021-01-01 00:00:00])
])
conn =
post(conn, "/api/docs/query", %{
"site_id" => site.domain,
"metrics" => ["pageviews"],
"date_range" => "all"
})
assert json_response(conn, 200)["results"] == [%{"metrics" => [3], "dimensions" => []}]
end
end
end