Added query_viewable hook

app/controllers/blazer/queries_controller.rb

@@ -1,6 +1,7 @@
 module Blazer
   class QueriesController < BaseController
     before_action :set_query, only: [:show, :edit, :update, :destroy, :refresh]
+    before_action :set_data_source, only: [:tables, :schema, :cancel]
 
     def home
       if params[:filter] == "dashboards"
@@ -83,7 +84,10 @@ module Blazer
       data_source = @query.data_source if @query && @query.data_source
       @data_source = Blazer.data_sources[data_source]
 
-      if @run_id
+      # ensure viewable
+      if !(@query || Query.new(data_source: @data_source.id)).viewable?(blazer_user)
+        render_forbidden
+      elsif @run_id
         @timestamp = blazer_params[:timestamp].to_i
 
         @result = @data_source.run_results(@run_id)
@@ -174,20 +178,28 @@ module Blazer
     end
 
     def tables
-      render json: Blazer.data_sources[params[:data_source]].tables
+      render json: @data_source.tables
     end
 
     def schema
-      @schema = Blazer.data_sources[params[:data_source]].schema
+      @schema = @data_source.schema
     end
 
     def cancel
-      Blazer.data_sources[params[:data_source]].cancel(blazer_run_id)
+      @data_source.cancel(blazer_run_id)
       head :ok
     end
 
     private
 
+      def set_data_source
+        @data_source = Blazer.data_sources[params[:data_source]]
+
+        unless Query.new(data_source: @data_source.id).editable?(blazer_user)
+          render_forbidden
+        end
+      end
+
       def continue_run
         render json: {run_id: @run_id, timestamp: @timestamp}, status: :accepted
       end
@@ -286,6 +298,14 @@ module Blazer
 
       def set_query
         @query = Blazer::Query.find(params[:id].to_s.split("-").first)
+
+        unless @query.viewable?(blazer_user)
+          render_forbidden
+        end
+      end
+
+      def render_forbidden
+        render plain: "Access denied", status: :forbidden
       end
 
       def query_params

app/models/blazer/query.rb

@@ -18,8 +18,17 @@ module Blazer
       name.to_s.sub(/\A[#\*]/, "").gsub(/\[.+\]/, "").strip
     end
 
+    def viewable?(user)
+      if Blazer.query_viewable
+        Blazer.query_viewable.call(self, user)
+      else
+        true
+      end
+    end
+
     def editable?(user)
       editable = !persisted? || (name.present? && name.first != "*" && name.first != "#") || user == try(:creator)
+      editable &&= viewable?(user)
       editable &&= Blazer.query_editable.call(self, user) if Blazer.query_editable
       editable
     end

app/views/blazer/queries/_form.html.erb

@@ -17,7 +17,7 @@
             <%= link_to "Back", :back %>
           </div>
           <a :href="dataSourcePath" target="_blank" style="margin-right: 10px;">Schema</a>
-          <%= f.select :data_source, Blazer.data_sources.values.select { |ds| q = @query.dup; q.data_source = ds.id; q.editable?(blazer_user) }.map { |ds| [ds.name, ds.id] }, {}, class: ("hide" if Blazer.data_sources.size == 1), style: "width: 140px;" %>
+          <%= f.select :data_source, Blazer.data_sources.values.select { |ds| q = @query.dup; q.data_source = ds.id; q.editable?(blazer_user) }.map { |ds| [ds.name, ds.id] }, {}, class: ("hide" if Blazer.data_sources.size <= 1), style: "width: 140px;" %>
           <div id="tables" style="display: inline-block; width: 250px; margin-right: 10px;">
             <select id="table_names" style="width: 240px;" placeholder="Preview table"></select>
           </div>

lib/blazer.rb

@@ -36,6 +36,7 @@ module Blazer
     attr_accessor :anomaly_checks
     attr_accessor :async
     attr_accessor :images
+    attr_accessor :query_viewable
     attr_accessor :query_editable
   end
   self.audit = true