Hide analytics dashboards for users without access
Problem to solve
The dashboard list at Project > Analytics > Dashboards remains visible even if a user is signed out.
Steps to reproduce
- Enable the product analytics feature flag
- Open a browser in incognito mode
- View the settings at Project > Analytics > Dashboards.
Screenshot
Proposed solution
- Don't render the page and remove the dashboards menu item.
Implementation plan
backend
Analytics dashboards should only be available if a user is authenticated and has permission (only for developers
and up).
- Add
before_action :authorize_read_product_analytics!
Projects::Analytics::DashboardsController
. - Add
can?(context.current_user, :read_product_analytics, context.project)
toAnalyticsMenu#dashboards_analytics_menu_item
- Update related specs.
Proposed diff
diff --git a/ee/app/controllers/projects/analytics/dashboards_controller.rb b/ee/app/controllers/projects/analytics/dashboards_controller.rb
index 93502243ba8f..6d479a134dc4 100644
--- a/ee/app/controllers/projects/analytics/dashboards_controller.rb
+++ b/ee/app/controllers/projects/analytics/dashboards_controller.rb
@@ -8,6 +8,7 @@ class DashboardsController < Projects::ApplicationController
feature_category :product_analytics
before_action :dashboards_enabled!, only: [:index]
+ before_action :authorize_read_product_analytics!
before_action :authorize_read_combined_project_analytics_dashboards!
before_action do
push_frontend_feature_flag(:product_analytics_snowplow_support)
diff --git a/ee/lib/ee/sidebars/projects/menus/analytics_menu.rb b/ee/lib/ee/sidebars/projects/menus/analytics_menu.rb
index 99979dc2e091..b4503eb2c860 100644
--- a/ee/lib/ee/sidebars/projects/menus/analytics_menu.rb
+++ b/ee/lib/ee/sidebars/projects/menus/analytics_menu.rb
@@ -92,7 +92,8 @@ def merge_request_analytics_menu_item
def dashboards_analytics_menu_item
unless ::Feature.enabled?(:combined_analytics_dashboards, context.project) &&
context.project.licensed_feature_available?(:combined_project_analytics_dashboards) &&
- can?(context.current_user, :read_combined_project_analytics_dashboards, context.project)
+ can?(context.current_user, :read_combined_project_analytics_dashboards, context.project) &&
+ can?(context.current_user, :read_product_analytics, context.project)
return ::Sidebars::NilMenuItem.new(item_id: :dashboards_analytics)
end
Edited by Halil Coban