From 43a4139664e4e947e1cc468c63b62df63d36373f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Fri, 24 May 2024 16:30:11 +0100
Subject: [PATCH] chore: Restrict public access to offline flows

---
 api.planx.uk/helpers.ts              |  6 ++---
 hasura.planx.uk/metadata/tables.yaml | 34 ++++++++++++++++++++++++----
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/api.planx.uk/helpers.ts b/api.planx.uk/helpers.ts
index 6bbcf5b71e..05242581c3 100644
--- a/api.planx.uk/helpers.ts
+++ b/api.planx.uk/helpers.ts
@@ -2,7 +2,7 @@ import { gql } from "graphql-request";
 import { capitalize } from "lodash";
 import { Flow, Node } from "./types";
 import { ComponentType, FlowGraph } from "@opensystemslab/planx-core/types";
-import { $public, getClient } from "./client";
+import { $api, $public, getClient } from "./client";
 
 export interface FlowData {
   slug: string;
@@ -22,7 +22,7 @@ export interface FlowData {
 
 // Get a flow's data (unflattened, without external portal nodes)
 const getFlowData = async (id: string): Promise<FlowData> => {
-  const { flow } = await $public.client.request<{ flow: FlowData | null }>(
+  const { flow } = await $api.client.request<{ flow: FlowData | null }>(
     gql`
       query GetFlowData($id: uuid!) {
         flow: flows_by_pk(id: $id) {
@@ -146,7 +146,7 @@ interface PublishedFlows {
 const getMostRecentPublishedFlow = async (
   id: string,
 ): Promise<Flow["data"] | undefined> => {
-  const { flow } = await $public.client.request<PublishedFlows>(
+  const { flow } = await $api.client.request<PublishedFlows>(
     gql`
       query GetMostRecentPublishedFlow($id: uuid!) {
         flow: flows_by_pk(id: $id) {
diff --git a/hasura.planx.uk/metadata/tables.yaml b/hasura.planx.uk/metadata/tables.yaml
index e8c8717c4b..cc092977ef 100644
--- a/hasura.planx.uk/metadata/tables.yaml
+++ b/hasura.planx.uk/metadata/tables.yaml
@@ -1,10 +1,17 @@
 - table:
     name: analytics
     schema: public
+  object_relationships:
+    - name: flow
+      using:
+        foreign_key_constraint_on: flow_id
   insert_permissions:
     - role: public
       permission:
-        check: {}
+        check:
+          flow:
+            status:
+              _eq: online
         columns:
           - created_at
           - flow_id
@@ -23,15 +30,26 @@
       permission:
         columns:
           - ended_at
-        filter: {}
+        filter:
+          flow:
+            status:
+              _eq: online
         check: null
 - table:
     name: analytics_logs
     schema: public
+  object_relationships:
+    - name: analytic
+      using:
+        foreign_key_constraint_on: analytics_id
   insert_permissions:
     - role: public
       permission:
-        check: {}
+        check:
+          analytic:
+            flow:
+              status:
+                _eq: online
         columns:
           - analytics_id
           - created_at
@@ -65,7 +83,11 @@
           - metadata
           - next_log_created_at
           - user_exit
-        filter: {}
+        filter:
+          analytic:
+            flow:
+              status:
+                _eq: online
         check: null
 - table:
     name: analytics_summary
@@ -543,7 +565,9 @@
           - version
         computed_fields:
           - data_merged
-        filter: {}
+        filter:
+          status:
+            _eq: online
         allow_aggregations: true
     - role: teamEditor
       permission: