allow dashboard CSV export access using token auth

3 files changed, 21 insertions, 0 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5f9e335a9..a80b26720 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,6 +49,7 @@
         - Admins can now unban users #1881
         - Council dashboard has date range for report generation #1885
         - More JavaScript-enhanced `<select multiple>` elements #1589
+        - Council dashboard CSV export now has token based authentication #1911
     - UK:
         - Use SVG logo, inlined on front page. #1887
         - Inline critical CSS on front page.
diff --git a/perllib/FixMyStreet/App/Controller/Dashboard.pm b/perllib/FixMyStreet/App/Controller/Dashboard.pm
index 27661b736..264845d40 100644
--- a/perllib/FixMyStreet/App/Controller/Dashboard.pm
+++ b/perllib/FixMyStreet/App/Controller/Dashboard.pm
@@ -91,6 +91,10 @@ Show the dashboard table.
 sub index : Path : Args(0) {
     my ( $self, $c ) = @_;
 
+    if ($c->get_param('export')) {
+        $c->authenticate(undef, "access_token");
+    }
+
     my $body = $c->forward('check_page_allowed');
     $c->stash->{body} = $body;
 
diff --git a/t/app/controller/dashboard.t b/t/app/controller/dashboard.t
index c1706cc81..83833ee7d 100644
--- a/t/app/controller/dashboard.t
+++ b/t/app/controller/dashboard.t
@@ -673,6 +673,22 @@ FixMyStreet::override_config {
 
         is scalar @rows, 2, '1 (header) + 1 (reports) = 2 lines';
     };
+
+    subtest 'export as csv using token' => sub {
+        $mech->log_out_ok;
+
+        $user->set_extra_metadata('access_token', '1234567890abcdefgh');
+        $user->update();
+
+        $mech->get_ok('/dashboard?export=1');
+        like $mech->res->header('Content-type'), qr'text/html';
+        $mech->content_lacks('Report ID');
+
+        $mech->add_header('Authorization', 'Bearer 1234567890abcdefgh');
+        $mech->get_ok('/dashboard?export=1');
+        like $mech->res->header('Content-type'), qr'text/csv';
+        $mech->content_contains('Report ID');
+    };
 };
 restore_time;