FIX: Do not show hidden queries in group reports (#57)

FIX: Do not show hidden queries in group reports (#57)

diff --git a/plugin.rb b/plugin.rb
index 3eab4cd..6faf2cd 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -1080,15 +1080,16 @@ SQL
       respond_to do |format|
         format.html { render 'groups/show' }
         format.json do
-          queries = DataExplorer::Query.all
-          queries.select! { |query| query.group_ids&.include?(group.id.to_s) }
-          render_serialized queries, DataExplorer::QuerySerializer, root: 'queries'
+          queries = DataExplorer::Query.all.select do |query|
+            !query.hidden && query.group_ids&.include?(group.id.to_s)
+          end
+          render_serialized(queries, DataExplorer::QuerySerializer, root: 'queries')
         end
       end
     end
 
     def group_reports_show
-      return raise Discourse::NotFound unless guardian.user_can_access_query?(group, query)
+      return raise Discourse::NotFound if !guardian.user_can_access_query?(group, query) || query.hidden
 
       respond_to do |format|
         format.html { render 'groups/show' }
@@ -1100,7 +1101,7 @@ SQL
 
     skip_before_action :check_xhr, only: [:group_reports_run]
     def group_reports_run
-      return raise Discourse::NotFound unless guardian.user_can_access_query?(group, query)
+      return raise Discourse::NotFound if !guardian.user_can_access_query?(group, query) || query.hidden
 
       run
     end
diff --git a/spec/controllers/queries_controller_spec.rb b/spec/controllers/queries_controller_spec.rb
index c8f15c4..b94a214 100644
--- a/spec/controllers/queries_controller_spec.rb
+++ b/spec/controllers/queries_controller_spec.rb
@@ -361,21 +361,31 @@ describe DataExplorer::QueryController do
       end
 
       it "returns a 404 when the user should not have access to the query " do
-        user = Fabricate(:user)
-        log_in_user(user)
+        other_user = Fabricate(:user)
+        log_in_user(other_user)
 
         get :group_reports_index, params: { group_name: group.name }, format: :json
         expect(response.status).to eq(404)
       end
 
       it "return a 200 when the user has access the the query" do
-        user = Fabricate(:user)
-        log_in_user(user)
         group.add(user)
 
         get :group_reports_index, params: { group_name: group.name }, format: :json
         expect(response.status).to eq(200)
       end
+
+      it "does not return hidden queries" do
+
+        group.add(user)
+        make_query('SELECT 1 as value', { name: 'A', hidden: true }, ["#{group.id}"])
+        make_query('SELECT 1 as value', { name: 'B' }, ["#{group.id}"])
+
+        get :group_reports_index, params: { group_name: group.name }, format: :json
+        expect(response.status).to eq(200)
+        expect(response_json['queries'].length).to eq(1)
+        expect(response_json['queries'][0]['name']).to eq('B')
+      end
     end
 
     describe "#group_reports_run" do
@@ -387,8 +397,6 @@ describe DataExplorer::QueryController do
       end
 
       it "returns a 404 when the user should not have access to the query " do
-        user = Fabricate(:user)
-        log_in_user(user)
         group.add(user)
         query = make_query('SELECT 1 as value', {}, [])
 
@@ -397,14 +405,20 @@ describe DataExplorer::QueryController do
       end
 
       it "return a 200 when the user has access the the query" do
-        user = Fabricate(:user)
-        log_in_user(user)
         group.add(user)
         query = make_query('SELECT 1 as value', {}, [group.id.to_s])
 
         get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
         expect(response.status).to eq(200)
       end
+
+      it "return a 404 when the query is hidden" do
+        group.add(user)
+        query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
+
+        get :group_reports_run, params: { group_name: group.name, id: query.id }, format: :json
+        expect(response.status).to eq(404)
+      end
     end
 
     describe "#group_reports_show" do
@@ -429,6 +443,16 @@ describe DataExplorer::QueryController do
         get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
         expect(response.status).to eq(200)
       end
+
+      it "return a 404 when the query is hidden" do
+        user = Fabricate(:user)
+        log_in_user(user)
+        group.add(user)
+        query = make_query('SELECT 1 as value', { hidden: true }, [group.id.to_s])
+
+        get :group_reports_show, params: { group_name: group.name, id: query.id }, format: :json
+        expect(response.status).to eq(404)
+      end
     end
   end
 end

GitHub sha: 5bf875a1

This commit appears in #57 which was merged by markvanlan.