statistics: Guest user can't access realm statistics.

Don't allow guest user to access realm statistics from UI or at API level. Fixes part of #10749.
2018-11-01 01:39:33 +05:30 · 2018-11-01 01:39:33 +05:30 · 02a5849d4c
parent f6b4e65b92
commit 02a5849d4c
3 changed files with 17 additions and 1 deletions
--- a/analytics/tests/test_views.py
+++ b/analytics/tests/test_views.py
@ -24,6 +24,15 @@ class TestStatsEndpoint(ZulipTestCase):
        # Check that we get something back
        self.assert_in_response("Zulip analytics for", result)

+    def test_guest_user_cant_access_stats(self) -> None:
+        self.user = self.example_user('polonius')
+        self.login(self.user.email)
+        result = self.client_get('/stats')
+        self.assert_json_error(result, "Not allowed for guest users", 400)
+
+        result = self.client_get('/json/analytics/chart_data')
+        self.assert_json_error(result, "Not allowed for guest users", 400)
+
    def test_stats_for_realm(self) -> None:
        user_profile = self.example_user('hamlet')
        self.login(user_profile.email)
--- a/analytics/views.py
+++ b/analytics/views.py
@ -27,7 +27,7 @@ from analytics.lib.time_utils import time_range
 from analytics.models import BaseCount, InstallationCount, \
    RealmCount, StreamCount, UserCount, last_successful_fill, installation_epoch
 from zerver.decorator import require_server_admin, require_server_admin_api, \
-    to_non_negative_int, to_utc_datetime, zulip_login_required
+    to_non_negative_int, to_utc_datetime, zulip_login_required, require_non_guest_user
 from zerver.lib.exceptions import JsonableError
 from zerver.lib.json_encoder_for_html import JSONEncoderForHTML
 from zerver.lib.request import REQ, has_request_variables
@ -52,6 +52,10 @@ def render_stats(request: HttpRequest, data_url_suffix: str, target_name: str,
@zulip_login_required
 def stats(request: HttpRequest) -> HttpResponse:
    realm = request.user.realm
+    if request.user.is_guest:
+        # TODO: Make @zulip_login_required pass the UserProfile so we
+        # can use @require_non_guest_human_user
+        raise JsonableError(_("Not allowed for guest users"))
    return render_stats(request, '', realm.name or realm.string_id)

@require_server_admin
@ -83,6 +87,7 @@ def get_chart_data_for_installation(request: HttpRequest, user_profile: UserProf
                                    chart_name: str=REQ(), **kwargs: Any) -> HttpResponse:
    return get_chart_data(request=request, user_profile=user_profile, for_installation=True, **kwargs)

+@require_non_guest_user
@has_request_variables
 def get_chart_data(request: HttpRequest, user_profile: UserProfile, chart_name: str=REQ(),
                   min_length: Optional[int]=REQ(converter=to_non_negative_int, default=None),
--- a/templates/zerver/app/navbar.html
+++ b/templates/zerver/app/navbar.html
@ -147,12 +147,14 @@
                                    <i class="fa fa-sitemap" aria-hidden="true"></i> {{ _('API documentation') }}
                                </a>
                            </li>
+                            {% if not is_guest %}
                            <li role="presentation">
                                <a href="/stats" target="_blank" role="menuitem">
                                    <i class="fa fa-bar-chart" aria-hidden="true"></i>
                                    <span>{{ _('Statistics') }}</span>
                                </a>
                            </li>
+                            {% endif %}
                            {% if show_plans %}
                            <li role="presentation">
                                <a href="/plans" role="menuitem">