Alert API sends all alert information to any user. Change this to onl… (#34067)

* Alert API sends all alert information to any user. Change this to only show those pulses the user has created or is
recipient of

* Adjust tests to show that only admins see all alerts. Regular users only see their alerts.

* Change docstring to describe behaviour of the endpoint.

src/metabase/api/alert.clj

@@ -28,14 +28,18 @@
   (classloader/require 'metabase-enterprise.advanced-permissions.common))
 
 (api/defendpoint GET "/"
-  "Fetch all alerts"
+  "Fetch alerts which the current user has created or will receive, or all alerts if the user is an admin.
+  The optional `user_id` will return alerts created by the corresponding user, but is ignored for non-admin users."
   [archived user_id]
   {archived [:maybe ms/BooleanString]
    user_id  [:maybe ms/PositiveInt]}
-  (as-> (pulse/retrieve-alerts {:archived? (Boolean/parseBoolean archived)
-                                :user-id   user_id}) <>
-    (filter mi/can-read? <>)
-    (t2/hydrate <> :can_write)))
+  (let [user-id (if api/*is-superuser?*
+                  user_id
+                  api/*current-user-id*)]
+    (as-> (pulse/retrieve-alerts {:archived? (Boolean/parseBoolean archived)
+                                  :user-id   user-id}) <>
+      (filter mi/can-read? <>)
+      (t2/hydrate <> :can_write))))
 
 (api/defendpoint GET "/:id"
   "Fetch an alert by ID"
@@ -45,7 +49,7 @@
       (t2/hydrate :can_write)))
 
 (api/defendpoint GET "/question/:id"
-  "Fetch all questions for the given question (`Card`) id"
+  "Fetch all alerts for the given question (`Card`) id"
   [id archived]
   {id       [:maybe ms/PositiveInt]
    archived [:maybe ms/BooleanString]}

test/metabase/api/alert_test.clj

@@ -6,7 +6,7 @@
    [metabase.email-test :as et]
    [metabase.http-client :as client]
    [metabase.models
-    :refer [Card Collection Pulse PulseCard PulseChannel PulseChannelRecipient]]
+    :refer [Card Collection Pulse PulseCard PulseChannel PulseChannelRecipient User]]
    [metabase.models.permissions :as perms]
    [metabase.models.permissions-group :as perms-group]
    [metabase.models.pulse :as pulse]
@@ -173,14 +173,21 @@
             (t2/update! Pulse (u/the-id creator-alert) {:name "LuckyCreator" :creator_id (mt/user->id :lucky)})
             (t2/update! Pulse (u/the-id recipient-alert) {:name "LuckyRecipient"})
             (t2/update! Pulse (u/the-id other-alert) {:name "Other"})
-            (mt/with-temp [PulseChannel pulse-channel {:pulse_id (u/the-id recipient-alert)}
+            (mt/with-temp [User uninvolved-user {}
+                           PulseChannel pulse-channel {:pulse_id (u/the-id recipient-alert)}
                            PulseChannelRecipient _ {:pulse_channel_id (u/the-id pulse-channel), :user_id (mt/user->id :lucky)}]
-              (is (= #{"LuckyCreator" "LuckyRecipient"}
-                     (set (map :name (mt/user-http-request :rasta :get 200 "alert" :user_id (mt/user->id :lucky))))))
-              (is (= #{"LuckyRecipient" "Other"}
-                     (set (map :name (mt/user-http-request :rasta :get 200 "alert" :user_id (mt/user->id :rasta))))))
-              (is (= #{}
-                     (set (map :name (mt/user-http-request :rasta :get 200 "alert" :user_id (mt/user->id :trashbird)))))))))))))
+              (testing "Admin can see any alerts"
+                (is (= #{"LuckyCreator" "LuckyRecipient" "Other"}
+                       (set (map :name (mt/user-http-request :crowberto :get 200 "alert")))))
+                (is (= #{"LuckyCreator" "LuckyRecipient"}
+                       (set (map :name (mt/user-http-request :crowberto :get 200 "alert" :user_id (mt/user->id :lucky)))))))
+              (testing "Regular Users will only see alerts they have created or recieve"
+                (is (= #{"LuckyCreator" "LuckyRecipient"}
+                       (set (map :name (mt/user-http-request :lucky :get 200 "alert")))))
+                (is (= #{"LuckyRecipient" "Other"}
+                       (set (map :name (mt/user-http-request :rasta :get 200 "alert" :user_id (mt/user->id :rasta))))))
+                (is (= #{}
+                       (set (map :name (mt/user-http-request (u/the-id uninvolved-user) :get 200 "alert")))))))))))))
 
 ;;; +----------------------------------------------------------------------------------------------------------------+
 ;;; |                                               GET /api/alert/:id                                               |