fix: distribution charts using groupby on a relationship should not throws 403 Forbidden (#459)

Thenkei · web-flow · commit 50663e93083f · 2021-05-12T15:49:24.000+02:00
* fix: charts should no longer throws 403 forbidden when not needed

* fix: distribution charts using groupby on a relationship throws 403 Forbidden
diff --git a/app/controllers/forest_liana/stats_controller.rb b/app/controllers/forest_liana/stats_controller.rb
@@ -89,6 +89,11 @@ def get_stat_parameter_request_info
       parameters.delete('controller');
       parameters.delete('action');
 
+      # NOTICE: Remove the field information from group_by_field => collection:id
+      if parameters['group_by_field']
+        parameters['group_by_field'] = parameters['group_by_field'].split(':').first
+      end
+
       return parameters;
     end
 
diff --git a/app/services/forest_liana/permissions_checker.rb b/app/services/forest_liana/permissions_checker.rb
@@ -177,13 +177,12 @@ def stat_with_parameters_allowed?
       return false unless pool_permissions
 
       # NOTICE: equivalent to Object.values in js & removes nil values
-      array_query_request_info = @query_request_info.values.filter_map{ |x| x unless x.nil? }
+      array_permission_infos = @query_request_info.values.filter_map{ |x| x unless x.nil? }
 
-      # NOTICE: pool_permissions contains the @query_request_info
-      #   we use the intersection between statPermission and @query_request_info
+      # NOTICE: Is there any pool_permissions containing the array_permission_infos
       return pool_permissions.any? {
         |statPermission|
-          (array_query_request_info & statPermission.values) == array_query_request_info;
+          (array_permission_infos.all? { |info| statPermission.values.include?(info) });
       }
     end
 
diff --git a/spec/requests/stats_spec.rb b/spec/requests/stats_spec.rb
@@ -72,12 +72,14 @@
       expect(response.status).to eq(404)
     end
 
-    # it 'should respond 403 Forbidden' do
-    #   allow_any_instance_of(ForestLiana::PermissionsChecker).to receive(:is_authorized?) { false }
+    it 'should respond 403 Forbidden' do
+      allow_any_instance_of(ForestLiana::PermissionsChecker).to receive(:is_authorized?) { false }
+      # NOTICE: bypass : find_resource error
+      allow_any_instance_of(ForestLiana::StatsController).to receive(:find_resource) { true }
 
-    #   post '/forest/stats/Products', params: JSON.dump(params), headers: headers
-    #   expect(response.status).to eq(403)
-    # end
+      post '/forest/stats/Products', params: JSON.dump(params), headers: headers
+      expect(response.status).to eq(403)
+    end
   end
   
   describe 'POST /stats' do
