Search: don't show inaccessible metrics & segments (#12916)

6b6ce17c · Simon Belak · GitHub · e7794a50 · 6b6ce17c · 6b6ce17c
Unverified Commit 6b6ce17c authored 4 years ago by Simon Belak Committed by GitHub 4 years ago
--- a/src/metabase/api/search.clj
+++ b/src/metabase/api/search.clj
@@ -16,6 +16,7 @@
             [collection :as coll :refer [Collection]]
             [dashboard :refer [Dashboard]]
             [dashboard-favorite :refer [DashboardFavorite]]
+             [interface :as mi]
             [metric :refer [Metric]]
             [permissions :as perms]
             [pulse :refer [Pulse]]
@@ -339,6 +340,23 @@
                  (for [path current-user-perms]
                    [:like :path (str path "%")]))}))))

+(defmulti ^:private check-permissions-for-model
+  {:arglists '([search-result])}
+  (comp keyword :model))
+
+(defmethod check-permissions-for-model :default
+  [_]
+  ;; We filter what we can (ie. everything that is in a collection) out already when querying
+  true)
+
+(defmethod check-permissions-for-model :metric
+  [{:keys [id]}]
+  (-> id Metric mi/can-read?))
+
+(defmethod check-permissions-for-model :segment
+  [{:keys [id]}]
+  (-> id Segment mi/can-read?))
+
 (s/defn ^:private search
  "Builds a search query that includes all of the searchable entities and runs it"
  [search-ctx :- SearchContext]
@@ -355,7 +373,8 @@
          results      (sort-by (juxt (comp model->sort-position :model)
                                      :name)
                                (db/query search-query :max-rows search-max-results))]
-      (for [row results]
+      (for [row results
+            :when (check-permissions-for-model row)]
        ;; MySQL returns `:favorite` and `:archived` as `1` or `0` so convert those to boolean as needed
        (-> row
            (update :favorite bit->boolean)

--- a/test/metabase/api/search_test.clj
+++ b/test/metabase/api/search_test.clj
@@ -217,7 +217,27 @@
                     (map #(merge default-search-row % (table-search-results))
                          [{:name "metric test2 metric", :description "Lookin' for a blueberry", :model "metric"}
                           {:name "segment test2 segment", :description "Lookin' for a blueberry", :model "segment"}])))
-                   (search-request :rasta :q "test")))))))))
+                   (search-request :rasta :q "test"))))))))
+
+  (testing "Metrics on tables for which the user does not have access to should not show up in results"
+    (mt/with-temp* [Database [{db-id :id}]
+                    Table    [{table-id :id} {:db_id  db-id
+                                              :schema nil}]
+                    Metric   [_ {:table_id table-id
+                                 :name     "test metric"}]]
+      (perms/revoke-permissions! (group/all-users) db-id)
+      (is (= []
+             (search-request :rasta :q "test")))))
+
+  (testing "Segments on tables for which the user does not have access to should not show up in results"
+    (mt/with-temp* [Database [{db-id :id}]
+                    Table    [{table-id :id} {:db_id  db-id
+                                              :schema nil}]
+                    Segment  [_ {:table_id table-id
+                                 :name     "test segment"}]]
+      (perms/revoke-permissions! (group/all-users) db-id)
+      (is (= []
+             (search-request :rasta :q "test"))))))

 (deftest favorites-test
  (testing "Favorites are per user, so other user's favorites don't cause search results to be favorited"