fix: smart actions restricted to a segment using segment query should be visible (#510)

* fix: smart actions restricted to a segment using segment query should be visible

* test: add rspec tests for all use cases

Author: Thenkei

app/services/forest_liana/permissions_checker.rb

@@ -159,9 +159,16 @@ def smart_action_allowed?(smart_actions_permissions)
 
     def segment_query_allowed?
       segments_queries_permissions = get_segments_in_permissions
-
+      # NOTICE: The segmentQuery should be in the segments_queries_permissions
       return false unless segments_queries_permissions
 
+      # Handle UNION queries made by the FRONT to display available actions on details view
+      unionQueries = @collection_list_parameters[:segmentQuery].split('/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION ');
+      if unionQueries.length > 1
+        # Are unionQueries all included only in the allowed queries
+        return unionQueries.all? { |unionQuery| segments_queries_permissions.select { |query| query.gsub(/;\s*/i, '') === unionQuery }.length > 0 };
+      end
+
       # NOTICE: @query_request_info matching an existing segment query
       return segments_queries_permissions.include? @collection_list_parameters[:segmentQuery]
     end

spec/services/forest_liana/permissions_checker_acl_disabled_spec.rb

@@ -481,6 +481,14 @@ module ForestLiana
               end
             end
 
+            context 'when user has no segments and param segmentQuery is there' do
+              let(:segmentQuery) { 'SELECT * FROM products;' }
+              let(:collection_list_parameters) { { :user_id => "1", :segmentQuery => segmentQuery } }
+              it 'should be authorized' do
+                expect(subject.is_authorized?).to be false
+              end
+            end
+
             context 'when segments are defined' do
               let(:segments_permissions) { ['SELECT * FROM products;', 'SELECT * FROM sellers;'] }
               let(:collection_list_parameters) { { :user_id => "1", :segmentQuery => segmentQuery } }
@@ -499,6 +507,26 @@ module ForestLiana
                 end
               end
 
+              context 'when received union segments NOT passing validation' do
+                let(:segmentQuery) { 'SELECT * FROM sellers/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2' }
+                it 'should return false' do
+                  expect(subject.is_authorized?).to be false
+                end
+              end
+
+              context 'when received union segments passing validation' do
+                let(:segmentQuery) { 'SELECT * FROM sellers/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT * FROM products' }
+                it 'should return true' do
+                  expect(subject.is_authorized?).to be true
+                end
+              end
+              context 'when received union segments with UNION inside passing validation' do
+                let(:segmentQuery) { 'SELECT COUNT(*) AS value FROM products/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2' }
+                let(:segments_permissions) { ['SELECT COUNT(*) AS value FROM products;', 'SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2;', 'SELECT * FROM products;', 'SELECT * FROM sellers;'] }
+                it 'should return true' do
+                  expect(subject.is_authorized?).to be true
+                end
+              end
             end
 
             context 'when user has not the required permission' do

spec/services/forest_liana/permissions_checker_acl_enabled_spec.rb

@@ -458,6 +458,14 @@ module ForestLiana
               end
             end
 
+            context 'when user has no segments queries permissions and param segmentQuery is there' do
+              let(:segmentQuery) { 'SELECT * FROM products;' }
+              let(:collection_list_parameters) { { :user_id => "1", :segmentQuery => segmentQuery } }
+              it 'should be authorized' do
+                expect(subject.is_authorized?).to be false
+              end
+            end
+
             context 'when segments are defined' do
               let(:default_rendering_id) { 1 }
               let(:segments_permissions) {
@@ -484,6 +492,36 @@ module ForestLiana
                   expect(subject.is_authorized?).to be false
                 end
               end
+
+              context 'when received union segments NOT passing validation' do
+                let(:segmentQuery) { 'SELECT * FROM sellers/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2' }
+                it 'should return false' do
+                  expect(subject.is_authorized?).to be false
+                end
+              end
+
+              context 'when received union segments passing validation' do
+                let(:segmentQuery) { 'SELECT * FROM sellers/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT * FROM products' }
+                it 'should return true' do
+                  expect(subject.is_authorized?).to be true
+                end
+              end
+
+              context 'when received union segments with UNION inside passing validation' do
+                let(:segmentQuery) { 'SELECT COUNT(*) AS value FROM products/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2' }
+                let(:segments_permissions) {
+                  {
+                    default_rendering_id => {
+                      collection_name => {
+                        'segments' => ['SELECT COUNT(*) AS value FROM products;', 'SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2;', 'SELECT * FROM products;', 'SELECT * FROM sellers;']
+                      }
+                    }
+                  }
+                }
+                it 'should return true' do
+                  expect(subject.is_authorized?).to be true
+                end
+              end
             end
           end