From e116e82baacee37a398927bd3558c98ab5c2a266 Mon Sep 17 00:00:00 2001
From: Halil Coban <hcoban@gitlab.com>
Date: Thu, 13 Jul 2023 22:55:19 +0200
Subject: [PATCH] Hide analytics dashboards unless has permission

Currently, analytics dashboards page and sidebar item is accessible
publicly in public projects. This MR limits them to users with at least
developer role.
---
 doc/user/analytics/analytics_dashboards.md                    | 4 ++++
 .../controllers/projects/analytics/dashboards_controller.rb   | 1 +
 ee/lib/ee/sidebars/projects/menus/analytics_menu.rb           | 3 ++-
 .../projects/product_analytics/dashboards_shared_examples.rb  | 4 ++++
 ee/spec/lib/ee/sidebars/projects/menus/analytics_menu_spec.rb | 2 +-
 .../requests/projects/analytics/dashboards_controller_spec.rb | 2 +-
 6 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/doc/user/analytics/analytics_dashboards.md b/doc/user/analytics/analytics_dashboards.md
index 9d2c91b6bc87f..7fcae5019823f 100644
--- a/doc/user/analytics/analytics_dashboards.md
+++ b/doc/user/analytics/analytics_dashboards.md
@@ -69,6 +69,10 @@ You can use the dashboard designer to:
 
 ## View project dashboards
 
+Prerequisite:
+
+- You must have at least the Developer role for the project.
+
 To view a list of dashboards (both built-in and custom) for a project:
 
 1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project.
diff --git a/ee/app/controllers/projects/analytics/dashboards_controller.rb b/ee/app/controllers/projects/analytics/dashboards_controller.rb
index 93502243ba8f3..6d479a134dc4c 100644
--- a/ee/app/controllers/projects/analytics/dashboards_controller.rb
+++ b/ee/app/controllers/projects/analytics/dashboards_controller.rb
@@ -8,6 +8,7 @@ class DashboardsController < Projects::ApplicationController
       feature_category :product_analytics
 
       before_action :dashboards_enabled!, only: [:index]
+      before_action :authorize_read_product_analytics!
       before_action :authorize_read_combined_project_analytics_dashboards!
       before_action do
         push_frontend_feature_flag(:product_analytics_snowplow_support)
diff --git a/ee/lib/ee/sidebars/projects/menus/analytics_menu.rb b/ee/lib/ee/sidebars/projects/menus/analytics_menu.rb
index 99979dc2e091b..b4503eb2c860a 100644
--- a/ee/lib/ee/sidebars/projects/menus/analytics_menu.rb
+++ b/ee/lib/ee/sidebars/projects/menus/analytics_menu.rb
@@ -92,7 +92,8 @@ def merge_request_analytics_menu_item
           def dashboards_analytics_menu_item
             unless ::Feature.enabled?(:combined_analytics_dashboards, context.project) &&
                 context.project.licensed_feature_available?(:combined_project_analytics_dashboards) &&
-                can?(context.current_user, :read_combined_project_analytics_dashboards, context.project)
+                can?(context.current_user, :read_combined_project_analytics_dashboards, context.project) &&
+                can?(context.current_user, :read_product_analytics, context.project)
               return ::Sidebars::NilMenuItem.new(item_id: :dashboards_analytics)
             end
 
diff --git a/ee/spec/features/projects/product_analytics/dashboards_shared_examples.rb b/ee/spec/features/projects/product_analytics/dashboards_shared_examples.rb
index 9d90afec18507..1bbb0b968b322 100644
--- a/ee/spec/features/projects/product_analytics/dashboards_shared_examples.rb
+++ b/ee/spec/features/projects/product_analytics/dashboards_shared_examples.rb
@@ -117,6 +117,10 @@
         end
 
         context 'without the correct user permissions' do
+          before do
+            project.add_reporter(user)
+          end
+
           it_behaves_like 'does not render the product analytics list item'
         end
 
diff --git a/ee/spec/lib/ee/sidebars/projects/menus/analytics_menu_spec.rb b/ee/spec/lib/ee/sidebars/projects/menus/analytics_menu_spec.rb
index 1014e86f6cff7..8f1c612fdcaf7 100644
--- a/ee/spec/lib/ee/sidebars/projects/menus/analytics_menu_spec.rb
+++ b/ee/spec/lib/ee/sidebars/projects/menus/analytics_menu_spec.rb
@@ -116,7 +116,7 @@
       context 'with different user access levels' do
         where(:access_level, :has_menu_item) do
           nil         | false
-          :reporter   | true
+          :reporter   | false
           :developer  | true
           :maintainer | true
         end
diff --git a/ee/spec/requests/projects/analytics/dashboards_controller_spec.rb b/ee/spec/requests/projects/analytics/dashboards_controller_spec.rb
index d358a2f2cc4af..742b861461180 100644
--- a/ee/spec/requests/projects/analytics/dashboards_controller_spec.rb
+++ b/ee/spec/requests/projects/analytics/dashboards_controller_spec.rb
@@ -79,7 +79,7 @@
       context 'with the licensed feature' do
         where(:access_level, :example_to_run) do
           nil         | 'returns not found'
-          :reporter   | 'returns success'
+          :reporter   | 'returns not found'
           :developer  | 'returns success'
           :maintainer | 'returns success'
         end
-- 
GitLab