pt
/
superset
mirror of https://github.com/apache/superset.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refine gamma experience (#883) 

* gamma: filter the sqla tables the user has access to

Refs #359

* gamma: filter slices available for dashboards in DashboardModelView

Refs #359

* gamma: limit owners to dashboard to self

As we don't want to leak other users to unpriviliged users

Refs #359
This commit is contained in:
Riccardo Magliocchetti 2016-08-17 06:37:55 +02:00 committed by Maxime Beauchemin
parent 88f4260777
commit 061d4f1ac7
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
caravel/views.py
View File

@ -127,6 +127,19 @@ class CaravelFilter(BaseFilter):
return perms
class TableSlice(CaravelFilter):
def apply(self, query, func): # noqa
if any([r.name in ('Admin', 'Alpha') for r in get_user_roles()]):
return query
perms = self.get_perms()
tables = []
for perm in perms:
match = re.search(r'\(id:(\d+)\)', perm)
tables.append(match.group(1))
qry = query.filter(self.model.id.in_(tables))
return qry
class FilterSlice(CaravelFilter):
def apply(self, query, func): # noqa
if any([r.name in ('Admin', 'Alpha') for r in get_user_roles()]):
@ -157,6 +170,22 @@ class FilterDashboard(CaravelFilter):
return query
class FilterDashboardSlices(CaravelFilter):
def apply(self, query, value): # noqa
if any([r.name in ('Admin', 'Alpha') for r in get_user_roles()]):
return query
qry = query.filter(self.model.perm.in_(self.get_perms()))
return qry
class FilterDashboardOwners(CaravelFilter):
def apply(self, query, value): # noqa
if any([r.name in ('Admin', 'Alpha') for r in get_user_roles()]):
return query
qry = query.filter_by(id=g.user.id)
return qry
def validate_json(form, field): # noqa
try:
json.loads(field.data)
@ -448,6 +477,7 @@ class TableModelView(CaravelModelView, DeleteMixin): # noqa
"Supports <a href='https://daringfireball.net/projects/markdown/'>"
"markdown</a>"),
}
base_filters = [['id', TableSlice, lambda: []]]
label_columns = {
'table_link': _("Table"),
'changed_by_': _("Changed By"),
@ -652,6 +682,14 @@ class DashboardModelView(CaravelModelView, DeleteMixin): # noqa
'owners': _("Owners is a list of users who can alter the dashboard."),
}
base_filters = [['slice', FilterDashboard, lambda: []]]
add_form_query_rel_fields = {
'slices': [['slices', FilterDashboardSlices, None]],
'owners': [['owners', FilterDashboardOwners, None]],
}
edit_form_query_rel_fields = {
'slices': [['slices', FilterDashboardSlices, None]],
'owners': [['owners', FilterDashboardOwners, None]],
}
label_columns = {
'dashboard_link': _("Dashboard"),
'dashboard_title': _("Title"),