webui: Ensure Save/Delete buttons are only shown to database owner

justinclift · justinclift · commit 7b2caad079fc · 2023-04-25T13:55:30.000+10:00
We probably want to allow anyone with write access to see and use
them, but this is a reasonable starting point
diff --git a/cypress/e2e/1-webui/visualisation.cy.js b/cypress/e2e/1-webui/visualisation.cy.js
@@ -322,4 +322,40 @@ describe('visualisation', () => {
     // Switch back to the default user
     cy.request('/x/test/switchdefault')
   })
+
+  // Ensure the save and delete buttons are only shown to the database owner
+  it('Ensure save/delete buttons are only shown to database owner', () => {
+    // Switch to a different user
+    cy.request('/x/test/switchfirst')
+
+    // Load a public page
+    cy.visit('/vis/default/Assembly Election 2017 with view.sqlite')
+
+    // Test if the Save and Delete fields are visible.  They shouldn't be
+    cy.get('[data-cy="savebtn"').should('not.exist')
+    cy.get('[data-cy="nameinput"').should('not.exist')
+    cy.get('[data-cy="delvisbtn"').should('not.exist')
+
+    // Log out
+    cy.request('/x/test/logout')
+
+    // Reload the page
+    cy.visit('/vis/default/Assembly Election 2017 with view.sqlite')
+
+    // Test if the Save and Delete fields are visible.  They shouldn't be
+    cy.get('[data-cy="savebtn"').should('not.exist')
+    cy.get('[data-cy="nameinput"').should('not.exist')
+    cy.get('[data-cy="delvisbtn"').should('not.exist')
+
+    // Switch back to the default user
+    cy.request('/x/test/switchdefault')
+
+    // Reload the page again
+    cy.visit('/vis/default/Assembly Election 2017 with view.sqlite')
+
+    // Ensure the Save and Delete fields are visible.  They should be this time
+    cy.get('[data-cy="savebtn"').should('exist')
+    cy.get('[data-cy="nameinput"').should('exist')
+    cy.get('[data-cy="delvisbtn"').should('exist')
+  })
 })
diff --git a/webui/templates/visualise.html b/webui/templates/visualise.html
@@ -166,9 +166,11 @@
         <input type="submit" class="btn" value="Download as CSV" ng-click="downloadResults()" data-cy="downcsvbtn">
         <input type="submit" class="btn" value="Format SQL" ng-click="formatSQL()" data-cy="formatsqlbtn">
         <input type="submit" class="btn btn-success" value="Run SQL" ng-click="execSQL()" data-cy="runsqlbtn">
-        <input type="submit" class="btn btn-primary" value="Save as:" ng-click="saveAs()" data-cy="savebtn">
-        <input type="text" id="savename" value="default" data-cy="nameinput">
-        <input type="submit" class="btn btn-danger" value="Delete" ng-click="deleteVis()" data-cy="delvisbtn">
+        [[ if eq .PageMeta.LoggedInUser .DB.Info.Owner ]]
+            <input type="submit" class="btn btn-primary" value="Save as:" ng-click="saveAs()" data-cy="savebtn">
+            <input type="text" id="savename" value="default" data-cy="nameinput">
+            <input type="submit" class="btn btn-danger" value="Delete" ng-click="deleteVis()" data-cy="delvisbtn">
+        [[ end ]]
     </div>
     <div class="row">
         <div class="col-md-2">&nbsp;</div>
