statistics: Guest user can't access realm statistics.

Don't allow guest user to access realm statistics from
UI or at API level.

Fixes part of #10749.

analytics/tests/test_views.py

@@ -24,6 +24,15 @@ class TestStatsEndpoint(ZulipTestCase):
         # Check that we get something back
         self.assert_in_response("Zulip analytics for", result)
 
+    def test_guest_user_cant_access_stats(self) -> None:
+        self.user = self.example_user('polonius')
+        self.login(self.user.email)
+        result = self.client_get('/stats')
+        self.assert_json_error(result, "Not allowed for guest users", 400)
+
+        result = self.client_get('/json/analytics/chart_data')
+        self.assert_json_error(result, "Not allowed for guest users", 400)
+
     def test_stats_for_realm(self) -> None:
         user_profile = self.example_user('hamlet')
         self.login(user_profile.email)

analytics/views.py

@@ -27,7 +27,7 @@ from analytics.lib.time_utils import time_range
 from analytics.models import BaseCount, InstallationCount, \
     RealmCount, StreamCount, UserCount, last_successful_fill, installation_epoch
 from zerver.decorator import require_server_admin, require_server_admin_api, \
-    to_non_negative_int, to_utc_datetime, zulip_login_required
+    to_non_negative_int, to_utc_datetime, zulip_login_required, require_non_guest_user
 from zerver.lib.exceptions import JsonableError
 from zerver.lib.json_encoder_for_html import JSONEncoderForHTML
 from zerver.lib.request import REQ, has_request_variables
@@ -52,6 +52,10 @@ def render_stats(request: HttpRequest, data_url_suffix: str, target_name: str,
 @zulip_login_required
 def stats(request: HttpRequest) -> HttpResponse:
     realm = request.user.realm
+    if request.user.is_guest:
+        # TODO: Make @zulip_login_required pass the UserProfile so we
+        # can use @require_non_guest_human_user
+        raise JsonableError(_("Not allowed for guest users"))
     return render_stats(request, '', realm.name or realm.string_id)
 
 @require_server_admin
@@ -83,6 +87,7 @@ def get_chart_data_for_installation(request: HttpRequest, user_profile: UserProf
                                     chart_name: str=REQ(), **kwargs: Any) -> HttpResponse:
     return get_chart_data(request=request, user_profile=user_profile, for_installation=True, **kwargs)
 
+@require_non_guest_user
 @has_request_variables
 def get_chart_data(request: HttpRequest, user_profile: UserProfile, chart_name: str=REQ(),
                    min_length: Optional[int]=REQ(converter=to_non_negative_int, default=None),

templates/zerver/app/navbar.html

@@ -147,12 +147,14 @@
                                     <i class="fa fa-sitemap" aria-hidden="true"></i> {{ _('API documentation') }}
                                 </a>
                             </li>
+                            {% if not is_guest %}
                             <li role="presentation">
                                 <a href="/stats" target="_blank" role="menuitem">
                                     <i class="fa fa-bar-chart" aria-hidden="true"></i>
                                     <span>{{ _('Statistics') }}</span>
                                 </a>
                             </li>
+                            {% endif %}
                             {% if show_plans %}
                             <li role="presentation">
                                 <a href="/plans" role="menuitem">