Prevent access to entity list that is not published

[matthew-white]

Problem description

It looks like entity lists that are not published are still accessible, at least to some extent. I think we should make them fully inaccessible.

In this project, I've created a single draft form that if published, would publish the project's first entity list: https://staging.getodk.cloud/#/projects/36/forms/trees_registration_demo/draft. Under "Entity List is updated by this Form:", "trees" links to the entity list overview. I don't think we should render a link if the entity list is new.

Clicking the link navigates to the entity list overview successfully. Instead, I think Backend should return a 404 if an entity list isn't published: https://staging.getodk.cloud/#/projects/36/entity-lists/trees. Clicking the Data tab does result in a 404, so we seem to be doing this for at least some endpoint.

Note that /v1/projects/:id/datasets does not return entity lists that are not published: https://staging.getodk.cloud/#/projects/36/entity-lists. I think /v1/projects/:id/datasets/:name should also prevent access to an entity list that is not published.

Screenshot

Central version shown in version.txt

versions:
f78da7a8b7a132ad2baa794a656da6ba8e40754a (v2023.3.1-6-gf78da7a)
+e91c8ae207cf362e860247eec849de59387f25eb client (v2023.3.0-15-ge91c8ae2)
+bc5c4322eab0eb98b0cef5226280fd2bc69b1711 server (v2023.3.1-33-gbc5c4322)

[sadiqkhoja]

Steps to reproduce:

• Upload a Form that defines a new dataset
• Don't publish it
• Click on the name of the dataset display on Form Status tab or directly type respective URL like https://test.getodk.cloud/#/projects/483/datasets/trees
• You would be able to see dataset details, however when you click on "Data" tab it will throw 404 error

[srujner]

Is it ready for testing?

[dbemke]

I'm not really sure if I understand this one well "You would be able to see dataset details, however when you click on "Data" tab it will throw 404 error". If the dataset/form isn't published yet, there isn't entity-list page with Data tab so I can't click it. If I try to access Entity-list page-Data tab by URL I get "Could not find the resource...". Is there other way to access the entity list Data tab or maybe it's not the Data tab I'm thinking about or we should just check via URL the 404 error?

[sadiqkhoja]

Those are "steps to reproduce", since we have fix the issue it is not reproducible.

To verify the fix is correct, you have to test that you can't access unpublished "Entity list" by any means.

[srujner]

Tested with Success!

[dbemke]

Tested with succcess!