fix(permissions): alpha role has all full features (#10241)

* fix(permissions): alpha role is inconsistent * reverse and allow Alpha to access manager menu * Bump FAB to 3.0.1rc1 to include del permission fix * add docs, tests and UPDATING * EOL * Fix query view for Alpha
2020-07-27 10:32:30 +01:00 · 2020-07-27 10:32:30 +01:00 · 562012c586
parent d45ef1c513
commit 562012c586
4 changed files with 34 additions and 6 deletions
--- a/UPDATING.md
+++ b/UPDATING.md
@ -23,6 +23,8 @@ assists people when migrating to a new version.

 ## Next

+* [10241](https://github.com/apache/incubator-superset/pull/10241): change on Alpha role, users started to have access to "Annotation Layers", "Css Templates" and "Import Dashboards".
+
 * [10324](https://github.com/apache/incubator-superset/pull/10324): Facebook Prophet has been introduced as an optional dependency to add support for timeseries forecasting in the chart data API. To enable this feature, install Superset with the optional dependency `prophet` or directly `pip install fbprophet`.

 * [10320](https://github.com/apache/incubator-superset/pull/10320): References to blacklst/whitelist language have been replaced with more appropriate alternatives. All configs refencing containing `WHITE`/`BLACK` have been replaced with `ALLOW`/`DENY`. Affected config variables that need to be updated: `TIME_GRAIN_BLACKLIST`, `VIZ_TYPE_BLACKLIST`, `DRUID_DATA_SOURCE_BLACKLIST`.
--- a/docs/security.rst
+++ b/docs/security.rst
@ -46,8 +46,9 @@ other users and altering other people's slices and dashboards.

 Alpha
 """""
-Alpha users have access to all data sources, but they cannot grant or revoke access
-from other users. They are also limited to altering the objects that they
+Alpha users have access to all data sources, and all features except SQLLab and
+security, so they cannot grant or revoke access from other users.
+They are also limited to altering the objects that they
 own. Alpha users can add and alter data sources.

 Gamma
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@ -128,9 +128,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods

    ADMIN_ONLY_VIEW_MENUS = {
        "AccessRequestsModelView",
-        "Manage",
        "SQL Lab",
-        "Queries",
        "Refresh Druid Metadata",
        "ResetPasswordView",
        "RoleModelView",
@ -139,7 +137,13 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
        "RowLevelSecurityFiltersModelView",
    } | USER_MODEL_VIEWS

-    ALPHA_ONLY_VIEW_MENUS = {"Upload a CSV"}
+    ALPHA_ONLY_VIEW_MENUS = {
+        "Manage",
+        "CSS Templates",
+        "Queries",
+        "Import dashboards",
+        "Upload a CSV",
+    }

    ADMIN_ONLY_PERMISSIONS = {
        "can_sql_json",  # TODO: move can_sql_json to sql_lab role
--- a/tests/security_tests.py
+++ b/tests/security_tests.py
@ -570,6 +570,9 @@ class TestRolePermission(SupersetTestCase):
        self.assert_can_read(view_menu, permissions_set)
        self.assert_can_write(view_menu, permissions_set)

+    def assert_can_menu(self, view_menu, permissions_set):
+        self.assertIn(("menu_access", view_menu), permissions_set)
+
    def assert_can_gamma(self, perm_set):
        self.assert_can_read("TableModelView", perm_set)

@ -592,10 +595,24 @@ class TestRolePermission(SupersetTestCase):
        self.assertIn(("can_explore", "Superset"), perm_set)
        self.assertIn(("can_explore_json", "Superset"), perm_set)
        self.assertIn(("can_userinfo", "UserDBModelView"), perm_set)
+        self.assert_can_menu("Databases", perm_set)
+        self.assert_can_menu("Tables", perm_set)
+        self.assert_can_menu("Sources", perm_set)
+        self.assert_can_menu("Charts", perm_set)
+        self.assert_can_menu("Dashboards", perm_set)

    def assert_can_alpha(self, perm_set):
+        self.assert_can_all("AnnotationLayerModelView", perm_set)
+        self.assert_can_all("CssTemplateModelView", perm_set)
        self.assert_can_all("TableModelView", perm_set)
-
+        self.assert_can_read("QueryView", perm_set)
+        self.assertIn(("can_import_dashboards", "Superset"), perm_set)
+        self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set)
+        self.assertIn(("can_this_form_get", "CsvToDatabaseView"), perm_set)
+        self.assert_can_menu("Manage", perm_set)
+        self.assert_can_menu("Annotation Layers", perm_set)
+        self.assert_can_menu("CSS Templates", perm_set)
+        self.assert_can_menu("Upload a CSV", perm_set)
        self.assertIn(("all_datasource_access", "all_datasource_access"), perm_set)

    def assert_cannot_alpha(self, perm_set):
@ -617,6 +634,10 @@ class TestRolePermission(SupersetTestCase):
        self.assertIn(("can_override_role_permissions", "Superset"), perm_set)
        self.assertIn(("can_approve", "Superset"), perm_set)

+        self.assert_can_menu("Security", perm_set)
+        self.assert_can_menu("List Users", perm_set)
+        self.assert_can_menu("List Roles", perm_set)
+
    def test_is_admin_only(self):
        self.assertFalse(
            security_manager._is_admin_only(