From 562012c5869bf4ef45349e81c48f10e27ff5aae3 Mon Sep 17 00:00:00 2001 From: Daniel Vaz Gaspar Date: Mon, 27 Jul 2020 10:32:30 +0100 Subject: [PATCH] fix(permissions): alpha role has all full features (#10241) * fix(permissions): alpha role is inconsistent * reverse and allow Alpha to access manager menu * Bump FAB to 3.0.1rc1 to include del permission fix * add docs, tests and UPDATING * EOL * Fix query view for Alpha --- UPDATING.md | 2 ++ docs/security.rst | 5 +++-- superset/security/manager.py | 10 +++++++--- tests/security_tests.py | 23 ++++++++++++++++++++++- 4 files changed, 34 insertions(+), 6 deletions(-) diff --git a/UPDATING.md b/UPDATING.md index 420cb03106..b65c19d6c7 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -23,6 +23,8 @@ assists people when migrating to a new version. ## Next +* [10241](https://github.com/apache/incubator-superset/pull/10241): change on Alpha role, users started to have access to "Annotation Layers", "Css Templates" and "Import Dashboards". + * [10324](https://github.com/apache/incubator-superset/pull/10324): Facebook Prophet has been introduced as an optional dependency to add support for timeseries forecasting in the chart data API. To enable this feature, install Superset with the optional dependency `prophet` or directly `pip install fbprophet`. * [10320](https://github.com/apache/incubator-superset/pull/10320): References to blacklst/whitelist language have been replaced with more appropriate alternatives. All configs refencing containing `WHITE`/`BLACK` have been replaced with `ALLOW`/`DENY`. Affected config variables that need to be updated: `TIME_GRAIN_BLACKLIST`, `VIZ_TYPE_BLACKLIST`, `DRUID_DATA_SOURCE_BLACKLIST`. diff --git a/docs/security.rst b/docs/security.rst index 911aabead2..29afdce5fe 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -46,8 +46,9 @@ other users and altering other people's slices and dashboards. Alpha """"" -Alpha users have access to all data sources, but they cannot grant or revoke access -from other users. They are also limited to altering the objects that they +Alpha users have access to all data sources, and all features except SQLLab and +security, so they cannot grant or revoke access from other users. +They are also limited to altering the objects that they own. Alpha users can add and alter data sources. Gamma diff --git a/superset/security/manager.py b/superset/security/manager.py index 56d0b4e70c..da92d1684b 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -128,9 +128,7 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods ADMIN_ONLY_VIEW_MENUS = { "AccessRequestsModelView", - "Manage", "SQL Lab", - "Queries", "Refresh Druid Metadata", "ResetPasswordView", "RoleModelView", @@ -139,7 +137,13 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods "RowLevelSecurityFiltersModelView", } | USER_MODEL_VIEWS - ALPHA_ONLY_VIEW_MENUS = {"Upload a CSV"} + ALPHA_ONLY_VIEW_MENUS = { + "Manage", + "CSS Templates", + "Queries", + "Import dashboards", + "Upload a CSV", + } ADMIN_ONLY_PERMISSIONS = { "can_sql_json", # TODO: move can_sql_json to sql_lab role diff --git a/tests/security_tests.py b/tests/security_tests.py index fb8e81ee53..60d20fde09 100644 --- a/tests/security_tests.py +++ b/tests/security_tests.py @@ -570,6 +570,9 @@ class TestRolePermission(SupersetTestCase): self.assert_can_read(view_menu, permissions_set) self.assert_can_write(view_menu, permissions_set) + def assert_can_menu(self, view_menu, permissions_set): + self.assertIn(("menu_access", view_menu), permissions_set) + def assert_can_gamma(self, perm_set): self.assert_can_read("TableModelView", perm_set) @@ -592,10 +595,24 @@ class TestRolePermission(SupersetTestCase): self.assertIn(("can_explore", "Superset"), perm_set) self.assertIn(("can_explore_json", "Superset"), perm_set) self.assertIn(("can_userinfo", "UserDBModelView"), perm_set) + self.assert_can_menu("Databases", perm_set) + self.assert_can_menu("Tables", perm_set) + self.assert_can_menu("Sources", perm_set) + self.assert_can_menu("Charts", perm_set) + self.assert_can_menu("Dashboards", perm_set) def assert_can_alpha(self, perm_set): + self.assert_can_all("AnnotationLayerModelView", perm_set) + self.assert_can_all("CssTemplateModelView", perm_set) self.assert_can_all("TableModelView", perm_set) - + self.assert_can_read("QueryView", perm_set) + self.assertIn(("can_import_dashboards", "Superset"), perm_set) + self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set) + self.assertIn(("can_this_form_get", "CsvToDatabaseView"), perm_set) + self.assert_can_menu("Manage", perm_set) + self.assert_can_menu("Annotation Layers", perm_set) + self.assert_can_menu("CSS Templates", perm_set) + self.assert_can_menu("Upload a CSV", perm_set) self.assertIn(("all_datasource_access", "all_datasource_access"), perm_set) def assert_cannot_alpha(self, perm_set): @@ -617,6 +634,10 @@ class TestRolePermission(SupersetTestCase): self.assertIn(("can_override_role_permissions", "Superset"), perm_set) self.assertIn(("can_approve", "Superset"), perm_set) + self.assert_can_menu("Security", perm_set) + self.assert_can_menu("List Users", perm_set) + self.assert_can_menu("List Roles", perm_set) + def test_is_admin_only(self): self.assertFalse( security_manager._is_admin_only(