Merge pull request #8502 from stopfstedt/prevent-unprivileged-access-to-report-routes

redirect non-privileged users to 404 page on reports routes.

Author: dartajax

packages/frontend/app/routes/reports.js

@@ -2,9 +2,16 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class ReportsRoute extends Route {
+  @service currentUser;
+  @service router;
   @service session;
 
   beforeModel(transition) {
     this.session.requireAuthentication(transition, 'login');
+    if (!this.currentUser.performsNonLearnerFunction) {
+      // Slash on the route name is necessary here due to this bug:
+      // https://github.com/emberjs/ember.js/issues/12945
+      this.router.replaceWith('/four-oh-four');
+    }
   }
 }

packages/frontend/app/routes/reports/curriculum.js

@@ -3,10 +3,11 @@ import { service } from '@ember/service';
 import { DateTime } from 'luxon';
 
 export default class ReportsCurriculumRoute extends Route {
+  @service currentUser;
+  @service router;
   @service session;
   @service store;
   @service graphql;
-  @service currentUser;
 
   queryParams = {
     courses: {
@@ -16,6 +17,11 @@ export default class ReportsCurriculumRoute extends Route {
 
   beforeModel(transition) {
     this.session.requireAuthentication(transition, 'login');
+    if (!this.currentUser.performsNonLearnerFunction) {
+      // Slash on the route name is necessary here due to this bug:
+      // https://github.com/emberjs/ember.js/issues/12945
+      this.router.replaceWith('/four-oh-four');
+    }
   }
 
   async model() {

packages/frontend/app/routes/reports/index.js

@@ -2,11 +2,17 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class ReportsIndexRoute extends Route {
+  @service currentUser;
   @service session;
   @service router;
 
   beforeModel(transition) {
     this.session.requireAuthentication(transition, 'login');
+    if (!this.currentUser.performsNonLearnerFunction) {
+      // Slash on the route name is necessary here due to this bug:
+      // https://github.com/emberjs/ember.js/issues/12945
+      this.router.replaceWith('/four-oh-four');
+    }
     this.router.replaceWith('reports.subjects');
   }
 }

packages/frontend/app/routes/reports/subject.js

@@ -2,12 +2,19 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class ReportsSubjectRoute extends Route {
+  @service currentUser;
+  @service router;
   @service reporting;
   @service session;
   @service store;
 
   beforeModel(transition) {
     this.session.requireAuthentication(transition, 'login');
+    if (!this.currentUser.performsNonLearnerFunction) {
+      // Slash on the route name is necessary here due to this bug:
+      // https://github.com/emberjs/ember.js/issues/12945
+      this.router.replaceWith('/four-oh-four');
+    }
   }
 
   model(params) {

packages/frontend/app/routes/reports/subjects.js

@@ -1,3 +1,17 @@
 import Route from '@ember/routing/route';
+import { service } from '@ember/service';
 
-export default class ReportsSubjectsRoute extends Route {}
+export default class ReportsSubjectsRoute extends Route {
+  @service currentUser;
+  @service router;
+  @service session;
+
+  beforeModel(transition) {
+    this.session.requireAuthentication(transition, 'login');
+    if (!this.currentUser.performsNonLearnerFunction) {
+      // Slash on the route name is necessary here due to this bug:
+      // https://github.com/emberjs/ember.js/issues/12945
+      this.router.replaceWith('/four-oh-four');
+    }
+  }
+}

packages/frontend/tests/acceptance/access-denied-test.js

@@ -32,6 +32,9 @@ module('Acceptance | Access Denied', function (hooks) {
       '/data/courses/1/terms/1',
       '/data/courses/1/vocabularies',
       '/data/courses/1/vocabularies/1',
+      '/reports/curriculum',
+      '/reports/subjects',
+      '/reports/subjects/1',
     ],
     async function (assert, url) {
       await visit(url);

packages/frontend/tests/acceptance/reports/curriculum-test.js

@@ -13,7 +13,7 @@ module('Acceptance | Reports - Curriculum Reports', function (hooks) {
 
   hooks.beforeEach(async function () {
     this.school = this.server.create('school');
-    await setupAuthentication({ school: this.school });
+    await setupAuthentication({ school: this.school }, true);
     this.server.post('api/graphql', ({ db }, { requestBody }) => {
       const { query } = JSON.parse(requestBody);
       if (query.includes('courses(academicYears:')) {

packages/frontend/tests/acceptance/reports/subject-test.js

@@ -10,7 +10,7 @@ module('Acceptance | Reports - Subject Report', function (hooks) {
 
   hooks.beforeEach(async function () {
     const school = this.server.create('school');
-    const user = await setupAuthentication({ school });
+    const user = await setupAuthentication({ school }, true);
     const vocabulary = this.server.create('vocabulary', {
       school,
     });

packages/frontend/tests/acceptance/reports/subjects-test.js

@@ -12,7 +12,7 @@ module('Acceptance | Reports - Subject Reports', function (hooks) {
 
   hooks.beforeEach(async function () {
     const school = this.server.create('school');
-    const user = await setupAuthentication({ school });
+    const user = await setupAuthentication({ school }, true);
     const vocabulary = this.server.create('vocabulary', {
       school,
     });