Feature flag for data dashboard: Make sure that only super-admins can…

… access the `statistics` field. Reference: CV2-5401.
meedan · Nov 7, 2024 · 402accf · 402accf
1 parent 0c60a3a
commit 402accf
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/app/graph/types/team_type.rb b/app/graph/types/team_type.rb
@@ -397,6 +397,7 @@ def api_keys
   end
 
   def statistics(period:, language: nil, platform: nil)
+    raise CheckPermissions::AccessDenied.new("You don't have access to this field.") unless User.current&.is_admin
     TeamStatistics.new(object, period, language, platform)
   end
 end
diff --git a/test/controllers/graphql_controller_11_test.rb b/test/controllers/graphql_controller_11_test.rb
@@ -201,8 +201,8 @@ def teardown
     end
   end
 
-  test "should get team statistics" do
-    user = create_user
+  test "should get team statistics if super admin" do
+    user = create_user is_admin: true
     team = create_team
     create_team_user user: user, team: team, role: 'admin'
 
@@ -244,6 +244,28 @@ def teardown
 
     post :create, params: { query: query }
     assert_response :success
+    assert_not_nil JSON.parse(@response.body).dig('data', 'team', 'statistics')
+  end
+
+  test "should not get team statistics if not super admin" do
+    user = create_user is_admin: false
+    team = create_team
+    create_team_user user: user, team: team, role: 'admin'
+
+    authenticate_with_user(user)
+    query = <<~GRAPHQL
+      query {
+        team(slug: "#{team.slug}") {
+          statistics(period: "past_week", platform: "whatsapp", language: "en") {
+            number_of_articles_created_by_date
+          }
+        }
+      }
+    GRAPHQL
+
+    post :create, params: { query: query }
+    assert_response :success
+    assert_nil JSON.parse(@response.body).dig('data', 'team', 'statistics')
   end
 
   test "should not get requests if interval is more than one month" do