fleetdm · eashaw · Jan 9, 2025 · Jan 9, 2025 · Jan 9, 2025 · Jan 10, 2025
diff --git a/...ontrollers/admin/get-llm-generated-sql.js → .../query-generator/get-llm-generated-sql.js b/...ontrollers/admin/get-llm-generated-sql.js → .../query-generator/get-llm-generated-sql.js
diff --git a/...controllers/admin/view-query-generator.js → ...s/query-generator/view-query-generator.js b/...controllers/admin/view-query-generator.js → ...s/query-generator/view-query-generator.js
diff --git a/website/api/models/User.js b/website/api/models/User.js
@@ -271,6 +271,12 @@ without necessarily having a billing card.`
       description: 'A JS timestamp of when this user\'s Fleet Premium trial license key expires.',
     },
 
+    canUseQueryGenerator: {
+      type: 'boolean',
+      description: 'Whether or not this user can access the query generator page',
+      defaultsTo: false,
+    },
+
     //  ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗
     //  ║╣ ║║║╠╩╗║╣  ║║╚═╗
     //  ╚═╝╩ ╩╚═╝╚═╝═╩╝╚═╝

diff --git a/website/api/policies/has-query-generator-access.js b/website/api/policies/has-query-generator-access.js
@@ -0,0 +1,37 @@
+/**
+ * has-query-generator-access
+ *
+ * A simple policy that blocks requests from users who have not been granted access to the query generator.
+ *
+ * For more about how to use policies, see:
+ *   https://sailsjs.com/config/policies
+ *   https://sailsjs.com/docs/concepts/policies
+ *   https://sailsjs.com/docs/concepts/policies/access-control-and-permissions
+ */
+module.exports = async function (req, res, proceed) {
+
+  // First, check whether the request comes from a logged-in user.
+  // > For more about where `req.me` comes from, check out this app's
+  // > custom hook (`api/hooks/custom/index.js`).
+  if (!req.me) {
+    // Rather than use the standard res.unauthorized(), if the request did not come from a logged-in user,
+    // we'll redirect them to an generic version of the customer login page.
+    if (req.wantsJSON) {
+      return res.sendStatus(401);
+    } else {
+      return res.redirect('/login');
+    }
+  }//•
+
+  // Check if this user can access the query generator.
+  if (!req.me.canUseQueryGenerator) {
+    return res.forbidden();
+  // Then check that this user is a "super admin".
+  } else if (!req.me.canUseQueryGenerator && !req.me.isSuperAdmin) {
+    return res.forbidden();
+  }
+
+  // IWMIH, this user can access the query generator.
+  return proceed();
+
+};
diff --git a/website/assets/js/cloud.setup.js b/website/assets/js/cloud.setup.js
diff --git a/website/config/policies.js b/website/config/policies.js
@@ -12,6 +12,7 @@ module.exports.policies = {
 
   '*': 'is-logged-in',
   'admin/*': 'is-super-admin',
+  'query-generator/*': 'has-query-generator-access',
 
   // Bypass the `is-logged-in` policy for:
   'entrance/*': true,

diff --git a/website/config/routes.js b/website/config/routes.js
@@ -448,7 +448,12 @@ module.exports.routes = {
     }
   },
 
-  'GET /admin/query-generator': { action: 'admin/view-query-generator' },
+  'GET /query-generator': {
+    action: 'query-generator/view-query-generator',
+    locals: {
+      showAdminLinks: true,
+    }
+  },
 
   //  ╦  ╔═╗╔═╗╔═╗╔═╗╦ ╦  ╦═╗╔═╗╔╦╗╦╦═╗╔═╗╔═╗╔╦╗╔═╗
   //  ║  ║╣ ║ ╦╠═╣║  ╚╦╝  ╠╦╝║╣  ║║║╠╦╝║╣ ║   ║ ╚═╗
@@ -908,5 +913,5 @@ module.exports.routes = {
   'POST /api/v1/deliver-deal-registration-submission': { action: 'deliver-deal-registration-submission' },
   '/api/v1/unsubscribe-from-marketing-emails': { action: 'unsubscribe-from-marketing-emails' },
   'POST /api/v1/customers/get-stripe-checkout-session-url': { action: 'customers/get-stripe-checkout-session-url' },
-  'POST /api/v1/admin/get-llm-generated-sql': { action: 'admin/get-llm-generated-sql' },
+  'POST /api/v1/query-generator/get-llm-generated-sql': { action: 'query-generator/get-llm-generated-sql' },
 };
diff --git a/website/views/layouts/layout.ejs b/website/views/layouts/layout.ejs
@@ -206,6 +206,7 @@
                     <hr>
                     <a purpose="mobile-dropdown-toggle" class="d-flex align-items-center mr-4 collapsed" data-toggle="collapse" data-target="#mobileNavbarToggleAdmin">Admin</a>
                     <div id="mobileNavbarToggleAdmin" purpose="mobile-dropdown" class="collapse" data-parent="#mobileDropdowns">
+                      <a purpose="mobile-dropdown-link" href="/query-generator">Generate queries</a>
                       <a purpose="mobile-dropdown-link" href="/admin/generate-license">License generator</a>
                       <a purpose="mobile-dropdown-link" href="/admin/email-preview">HTML Email preview tool</a>
                     </div>
@@ -289,7 +290,7 @@
                 <span>Admin pages</span>
               </div>
               <div class="d-flex flex-row align-self-end justify-content-between">
-                <a purpose="admin-link" style="text-decoration: none; line-height: 23px;" href="/admin/query-generator">Generate queries</a>
+                <a purpose="admin-link" style="text-decoration: none; line-height: 23px;" href="/query-generator">Generate queries</a>
                 <a purpose="admin-link" style="text-decoration: none; line-height: 23px;" href="/admin/generate-license">License generator</a>
                 <a purpose="admin-link" style="text-decoration: none; line-height: 23px;" href="/admin/email-preview">HTML Email preview tool</a>
               </div>