Merge pull request #14309 from CartoDB/allow-views-api-keys

Allow views in api keys

NEWS.md

@@ -8,7 +8,7 @@ Development
 - None yet
 
 ### Bug fixes / enhancements
-- None yet
+- Allowing views in API Keys (#14309)
 
 4.22.0 (2018-10-04)
 -------------------

app/models/carto/api_key.rb

@@ -320,27 +320,61 @@ module Carto
       return unless databases.present?
 
       databases[:tables].each do |table|
-        check_table(table)
+        if !check_table(table) && !check_view(table) && !check_materilized_view(table)
+          raise Carto::UnprocesableEntityError.new("relation \"#{table[:schema]}.#{table[:name]}\" does not exist")
+        end
       end
     end
 
     def check_table(table)
       begin
         result = db_run(%{
-                   SELECT *
-                   FROM
-                     pg_tables
-                   WHERE
-                     schemaname = #{db_connection.quote(table[:schema])} AND
-                     tablename = #{db_connection.quote(table[:name])}
-                 })
+          SELECT *
+          FROM
+            pg_tables
+          WHERE
+            schemaname = #{db_connection.quote(table[:schema])} AND
+            tablename = #{db_connection.quote(table[:name])}
+        })
+      rescue StandardError => e
+        raise_unprocessable_entity_error(e)
+      end
+
+      result && !result.count.zero?
+    end
+
+    def check_view(view)
+      begin
+        result = db_run(%{
+          SELECT *
+          FROM
+            pg_views
+          WHERE
+            schemaname = #{db_connection.quote(view[:schema])} AND
+            viewname = #{db_connection.quote(view[:name])}
+        })
       rescue StandardError => e
         raise_unprocessable_entity_error(e)
       end
 
-      if result && result.count.zero?
-        raise Carto::UnprocesableEntityError.new("relation \"#{table[:schema]}.#{table[:name]}\" does not exist")
+      result && !result.count.zero?
+    end
+
+    def check_materilized_view(matview)
+      begin
+        result = db_run(%{
+          SELECT *
+          FROM
+            pg_matviews
+          WHERE
+            schemaname = #{db_connection.quote(matview[:schema])} AND
+            matviewname = #{db_connection.quote(matview[:name])}
+        })
+      rescue StandardError => e
+        raise_unprocessable_entity_error(e)
       end
+
+      result && !result.count.zero?
     end
 
     def invalidate_cache

spec/models/carto/api_key_spec.rb

@@ -159,6 +159,43 @@ describe Carto::ApiKey do
       @user1.in_database.run("ALTER TABLE \"wadus\"\"wadus\" RENAME TO #{old_name}")
     end
 
+    it 'grants view' do
+      view_name = 'cool_view'
+
+      validate_view_api_key(
+        view_name,
+        "CREATE VIEW #{view_name} AS SELECT * FROM #{@table1.name}",
+        "DROP VIEW #{view_name}"
+      )
+
+      validate_view_api_key(
+        view_name,
+        "CREATE MATERIALIZED VIEW #{view_name} AS SELECT * FROM #{@table1.name}",
+        "DROP MATERIALIZED VIEW #{view_name}"
+      )
+    end
+
+    def validate_view_api_key(view_name, create_query, drop_query)
+      @user1.in_database.run(create_query)
+      grants = [apis_grant(['sql']), database_grant(@table1.database_schema, view_name)]
+      api_key = @carto_user1.api_keys.create_regular_key!(name: 'grants_view', grants: grants)
+
+      with_connection_from_api_key(api_key) do |connection|
+        begin
+          connection.execute("select count(1) from #{@table1.name}")
+        rescue Sequel::DatabaseError => e
+          e.message.should include "permission denied for relation #{@table1.name}"
+        end
+
+        connection.execute("select count(1) from #{view_name}") do |result|
+          result[0]['count'].should eq '0'
+        end
+      end
+
+      @user1.in_database.run(drop_query)
+      api_key.destroy
+    end
+
     let (:grants) { [database_grant(@table1.database_schema, @table1.name), apis_grant] }
 
     describe '#destroy' do