mirror of https://github.com/apache/superset.git
fix(permissions): alpha role has all full features (#10241)
* fix(permissions): alpha role is inconsistent * reverse and allow Alpha to access manager menu * Bump FAB to 3.0.1rc1 to include del permission fix * add docs, tests and UPDATING * EOL * Fix query view for Alpha
This commit is contained in:
parent
d45ef1c513
commit
562012c586
|
@ -23,6 +23,8 @@ assists people when migrating to a new version.
|
|||
|
||||
## Next
|
||||
|
||||
* [10241](https://github.com/apache/incubator-superset/pull/10241): change on Alpha role, users started to have access to "Annotation Layers", "Css Templates" and "Import Dashboards".
|
||||
|
||||
* [10324](https://github.com/apache/incubator-superset/pull/10324): Facebook Prophet has been introduced as an optional dependency to add support for timeseries forecasting in the chart data API. To enable this feature, install Superset with the optional dependency `prophet` or directly `pip install fbprophet`.
|
||||
|
||||
* [10320](https://github.com/apache/incubator-superset/pull/10320): References to blacklst/whitelist language have been replaced with more appropriate alternatives. All configs refencing containing `WHITE`/`BLACK` have been replaced with `ALLOW`/`DENY`. Affected config variables that need to be updated: `TIME_GRAIN_BLACKLIST`, `VIZ_TYPE_BLACKLIST`, `DRUID_DATA_SOURCE_BLACKLIST`.
|
||||
|
|
|
@ -46,8 +46,9 @@ other users and altering other people's slices and dashboards.
|
|||
|
||||
Alpha
|
||||
"""""
|
||||
Alpha users have access to all data sources, but they cannot grant or revoke access
|
||||
from other users. They are also limited to altering the objects that they
|
||||
Alpha users have access to all data sources, and all features except SQLLab and
|
||||
security, so they cannot grant or revoke access from other users.
|
||||
They are also limited to altering the objects that they
|
||||
own. Alpha users can add and alter data sources.
|
||||
|
||||
Gamma
|
||||
|
|
|
@ -128,9 +128,7 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
|
|||
|
||||
ADMIN_ONLY_VIEW_MENUS = {
|
||||
"AccessRequestsModelView",
|
||||
"Manage",
|
||||
"SQL Lab",
|
||||
"Queries",
|
||||
"Refresh Druid Metadata",
|
||||
"ResetPasswordView",
|
||||
"RoleModelView",
|
||||
|
@ -139,7 +137,13 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
|
|||
"RowLevelSecurityFiltersModelView",
|
||||
} | USER_MODEL_VIEWS
|
||||
|
||||
ALPHA_ONLY_VIEW_MENUS = {"Upload a CSV"}
|
||||
ALPHA_ONLY_VIEW_MENUS = {
|
||||
"Manage",
|
||||
"CSS Templates",
|
||||
"Queries",
|
||||
"Import dashboards",
|
||||
"Upload a CSV",
|
||||
}
|
||||
|
||||
ADMIN_ONLY_PERMISSIONS = {
|
||||
"can_sql_json", # TODO: move can_sql_json to sql_lab role
|
||||
|
|
|
@ -570,6 +570,9 @@ class TestRolePermission(SupersetTestCase):
|
|||
self.assert_can_read(view_menu, permissions_set)
|
||||
self.assert_can_write(view_menu, permissions_set)
|
||||
|
||||
def assert_can_menu(self, view_menu, permissions_set):
|
||||
self.assertIn(("menu_access", view_menu), permissions_set)
|
||||
|
||||
def assert_can_gamma(self, perm_set):
|
||||
self.assert_can_read("TableModelView", perm_set)
|
||||
|
||||
|
@ -592,10 +595,24 @@ class TestRolePermission(SupersetTestCase):
|
|||
self.assertIn(("can_explore", "Superset"), perm_set)
|
||||
self.assertIn(("can_explore_json", "Superset"), perm_set)
|
||||
self.assertIn(("can_userinfo", "UserDBModelView"), perm_set)
|
||||
self.assert_can_menu("Databases", perm_set)
|
||||
self.assert_can_menu("Tables", perm_set)
|
||||
self.assert_can_menu("Sources", perm_set)
|
||||
self.assert_can_menu("Charts", perm_set)
|
||||
self.assert_can_menu("Dashboards", perm_set)
|
||||
|
||||
def assert_can_alpha(self, perm_set):
|
||||
self.assert_can_all("AnnotationLayerModelView", perm_set)
|
||||
self.assert_can_all("CssTemplateModelView", perm_set)
|
||||
self.assert_can_all("TableModelView", perm_set)
|
||||
|
||||
self.assert_can_read("QueryView", perm_set)
|
||||
self.assertIn(("can_import_dashboards", "Superset"), perm_set)
|
||||
self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set)
|
||||
self.assertIn(("can_this_form_get", "CsvToDatabaseView"), perm_set)
|
||||
self.assert_can_menu("Manage", perm_set)
|
||||
self.assert_can_menu("Annotation Layers", perm_set)
|
||||
self.assert_can_menu("CSS Templates", perm_set)
|
||||
self.assert_can_menu("Upload a CSV", perm_set)
|
||||
self.assertIn(("all_datasource_access", "all_datasource_access"), perm_set)
|
||||
|
||||
def assert_cannot_alpha(self, perm_set):
|
||||
|
@ -617,6 +634,10 @@ class TestRolePermission(SupersetTestCase):
|
|||
self.assertIn(("can_override_role_permissions", "Superset"), perm_set)
|
||||
self.assertIn(("can_approve", "Superset"), perm_set)
|
||||
|
||||
self.assert_can_menu("Security", perm_set)
|
||||
self.assert_can_menu("List Users", perm_set)
|
||||
self.assert_can_menu("List Roles", perm_set)
|
||||
|
||||
def test_is_admin_only(self):
|
||||
self.assertFalse(
|
||||
security_manager._is_admin_only(
|
||||
|
|
Loading…
Reference in New Issue