Allow Gamma and Alpha to access '/users/userinfo/' (#6936)

* Allow Gamma and Alpha to access '/users/userinfo/' closes https://github.com/apache/incubator-superset/issues/4919 * Fix unit test * Fix test
2019-04-22 11:23:54 -07:00 · 2019-04-22 11:23:54 -07:00 · 36a219da7f
parent aa1d9ae303
commit 36a219da7f
3 changed files with 18 additions and 7 deletions
--- a/superset/security.py
+++ b/superset/security.py
@ -81,19 +81,23 @@ class SupersetSecurityManager(SecurityManager):
        'can_list',
    }

-    ALPHA_ONLY_PERMISSIONS = set([
+    ALPHA_ONLY_PERMISSIONS = {
        'muldelete',
        'all_database_access',
        'all_datasource_access',
-    ])
+    }

-    OBJECT_SPEC_PERMISSIONS = set([
+    OBJECT_SPEC_PERMISSIONS = {
        'database_access',
        'schema_access',
        'datasource_access',
        'metric_access',
        'can_only_access_owned_queries',
-    ])
+    }
+
+    ACCESSIBLE_PERMS = {
+        'can_userinfo',
+    }

    def get_schema_perm(self, database, schema):
        if schema:
@ -386,15 +390,21 @@ class SupersetSecurityManager(SecurityManager):
            pvm.permission.name in self.ALPHA_ONLY_PERMISSIONS
        )

+    def is_accessible_to_all(self, pvm):
+        return pvm.permission.name in self.ACCESSIBLE_PERMS
+
    def is_admin_pvm(self, pvm):
        return not self.is_user_defined_permission(pvm)

    def is_alpha_pvm(self, pvm):
-        return not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm))
+        return (
+            not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm)) or
+            self.is_accessible_to_all(pvm)
+        )

    def is_gamma_pvm(self, pvm):
        return not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm) or
-                    self.is_alpha_only(pvm))
+                    self.is_alpha_only(pvm)) or self.is_accessible_to_all(pvm)

    def is_sql_lab_pvm(self, pvm):
        return (
--- a/tests/core_tests.py
+++ b/tests/core_tests.py
@ -189,7 +189,6 @@ class CoreTests(SupersetTestCase):
            assert_func('ResetPasswordView', view_menus)
            assert_func('RoleModelView', view_menus)
            assert_func('Security', view_menus)
-            assert_func('UserDBModelView', view_menus)
            assert_func('SQL Lab',
                        view_menus)

--- a/tests/security_tests.py
+++ b/tests/security_tests.py
@ -76,6 +76,7 @@ class RolePermissionTests(SupersetTestCase):
        self.assertIn(('can_slice', 'Superset'), perm_set)
        self.assertIn(('can_explore', 'Superset'), perm_set)
        self.assertIn(('can_explore_json', 'Superset'), perm_set)
+        self.assertIn(('can_userinfo', 'UserDBModelView'), perm_set)

    def assert_can_alpha(self, perm_set):
        self.assert_can_all('SqlMetricInlineView', perm_set)
@ -231,6 +232,7 @@ class RolePermissionTests(SupersetTestCase):
        self.assertIn(('can_fave_slices', 'Superset'), gamma_perm_set)
        self.assertIn(('can_save_dash', 'Superset'), gamma_perm_set)
        self.assertIn(('can_slice', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_userinfo', 'UserDBModelView'), gamma_perm_set)

    def test_views_are_secured(self):
        """Preventing the addition of unsecured views without has_access decorator"""