Allow admins to access the stats API

2024-11-26 23:27:54 +03:00 · 2021-11-25 15:32:01 +02:00 · 2021-11-25 15:32:01 +02:00 · 7e93500834
commit 7e93500834
parent 2bdfec1cc0
2 changed files with 33 additions and 0 deletions
--- a/lib/plausible_web/plugs/authorize_stats_api.ex
+++ b/lib/plausible_web/plugs/authorize_stats_api.ex
@ -46,9 +46,11 @@ defmodule PlausibleWeb.AuthorizeStatsApiPlug do
  defp verify_access(api_key, site_id) do
    site = Repo.get_by(Plausible.Site, domain: site_id)
    is_member = site && Plausible.Sites.is_member?(api_key.user_id, site)
+    is_admin = api_key.user_id in admin_user_ids()

    cond do
      site && is_member -> {:ok, site}
+      site && is_admin -> {:ok, site}
      true -> {:error, :invalid_api_key}
    end
  end
@ -77,4 +79,8 @@ defmodule PlausibleWeb.AuthorizeStatsApiPlug do
      {:deny, _} -> {:error, :rate_limit, api_key.hourly_request_limit}
    end
  end
+
+  defp admin_user_ids() do
+    Application.get_env(:plausible, :admin_user_ids)
+  end
 end
--- a/test/plausible_web/controllers/api/external_stats_controller/auth_test.exs
+++ b/test/plausible_web/controllers/api/external_stats_controller/auth_test.exs
@ -52,6 +52,33 @@ defmodule PlausibleWeb.Api.ExternalStatsController.AuthTest do
           }
  end

+  test "can access with correct API key and site ID", %{conn: conn, user: user, api_key: api_key} do
+    site = insert(:site, members: [user])
+
+    conn =
+      conn
+      |> Plug.Conn.put_req_header("authorization", "Bearer #{api_key}")
+      |> get("/api/v1/stats/aggregate", %{"site_id" => site.domain, "metrics" => "pageviews"})
+
+    assert json_response(conn, 200) == %{
+             "results" => %{"pageviews" => %{"value" => 0}}
+           }
+  end
+
+  test "can access as an admin", %{conn: conn, user: user, api_key: api_key} do
+    Application.put_env(:plausible, :admin_user_ids, [user.id])
+    site = insert(:site)
+
+    conn =
+      conn
+      |> Plug.Conn.put_req_header("authorization", "Bearer #{api_key}")
+      |> get("/api/v1/stats/aggregate", %{"site_id" => site.domain, "metrics" => "pageviews"})
+
+    assert json_response(conn, 200) == %{
+             "results" => %{"pageviews" => %{"value" => 0}}
+           }
+  end
+
  test "limits the rate of API requests", %{user: user} do
    api_key = insert(:api_key, user_id: user.id, hourly_request_limit: 3)