mirror of https://github.com/apache/superset.git
feat(css templates): security perm simplification (#11856)
* feat: security converge css templates * fix security tests * fix JS test * add migration * black and fix migration
This commit is contained in:
parent
61064b9634
commit
71c567bf3a
|
@ -58,7 +58,7 @@ const mockUser = {
|
|||
};
|
||||
|
||||
fetchMock.get(templatesInfoEndpoint, {
|
||||
permissions: ['can_delete'],
|
||||
permissions: ['can_write'],
|
||||
});
|
||||
fetchMock.get(templatesEndpoint, {
|
||||
result: mocktemplates,
|
||||
|
@ -158,7 +158,7 @@ describe('CssTemplatesList', () => {
|
|||
});
|
||||
|
||||
it('shows/hides bulk actions when bulk actions is clicked', async () => {
|
||||
const button = wrapper.find(Button).at(0);
|
||||
const button = wrapper.find(Button).at(1);
|
||||
act(() => {
|
||||
button.props().onClick();
|
||||
});
|
||||
|
|
|
@ -74,9 +74,9 @@ function CssTemplatesList({
|
|||
setCurrentCssTemplate,
|
||||
] = useState<TemplateObject | null>(null);
|
||||
|
||||
const canCreate = hasPerm('can_add');
|
||||
const canEdit = hasPerm('can_edit');
|
||||
const canDelete = hasPerm('can_delete');
|
||||
const canCreate = hasPerm('can_write');
|
||||
const canEdit = hasPerm('can_write');
|
||||
const canDelete = hasPerm('can_write');
|
||||
|
||||
const [
|
||||
templateCurrentlyDeleting,
|
||||
|
|
|
@ -22,7 +22,7 @@ from flask_appbuilder.api import expose, protect, rison, safe
|
|||
from flask_appbuilder.models.sqla.interface import SQLAInterface
|
||||
from flask_babel import ngettext
|
||||
|
||||
from superset.constants import RouteMethod
|
||||
from superset.constants import MODEL_API_RW_METHOD_PERMISSION_MAP, RouteMethod
|
||||
from superset.css_templates.commands.bulk_delete import BulkDeleteCssTemplateCommand
|
||||
from superset.css_templates.commands.exceptions import (
|
||||
CssTemplateBulkDeleteFailedError,
|
||||
|
@ -47,7 +47,9 @@ class CssTemplateRestApi(BaseSupersetModelRestApi):
|
|||
RouteMethod.RELATED,
|
||||
"bulk_delete", # not using RouteMethod since locally defined
|
||||
}
|
||||
class_permission_name = "CssTemplateModelView"
|
||||
class_permission_name = "CssTemplate"
|
||||
method_permission_name = MODEL_API_RW_METHOD_PERMISSION_MAP
|
||||
|
||||
resource_name = "css_template"
|
||||
allow_browser_login = True
|
||||
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
"""security converge css templates
|
||||
|
||||
Revision ID: 8ee129739cf9
|
||||
Revises: e38177dbf641
|
||||
Create Date: 2020-11-30 17:54:09.118630
|
||||
|
||||
"""
|
||||
|
||||
# revision identifiers, used by Alembic.
|
||||
revision = "8ee129739cf9"
|
||||
down_revision = "e38177dbf641"
|
||||
|
||||
|
||||
from alembic import op
|
||||
from sqlalchemy.exc import SQLAlchemyError
|
||||
from sqlalchemy.orm import Session
|
||||
|
||||
from superset.migrations.shared.security_converge import (
|
||||
add_pvms,
|
||||
get_reversed_new_pvms,
|
||||
get_reversed_pvm_map,
|
||||
migrate_roles,
|
||||
Pvm,
|
||||
)
|
||||
|
||||
NEW_PVMS = {"CssTemplate": ("can_read", "can_write",)}
|
||||
PVM_MAP = {
|
||||
Pvm("CssTemplateModelView", "can_list"): (Pvm("CssTemplate", "can_read"),),
|
||||
Pvm("CssTemplateModelView", "can_show"): (Pvm("CssTemplate", "can_read"),),
|
||||
Pvm("CssTemplateModelView", "can_add",): (Pvm("CssTemplate", "can_write"),),
|
||||
Pvm("CssTemplateModelView", "can_edit",): (Pvm("CssTemplate", "can_write"),),
|
||||
Pvm("CssTemplateModelView", "can_delete",): (Pvm("CssTemplate", "can_write"),),
|
||||
Pvm("CssTemplateModelView", "muldelete",): (Pvm("CssTemplate", "can_write"),),
|
||||
Pvm("CssTemplateAsyncModelView", "can_list",): (Pvm("CssTemplate", "can_read"),),
|
||||
Pvm("CssTemplateAsyncModelView", "muldelete",): (Pvm("CssTemplate", "can_write"),),
|
||||
}
|
||||
|
||||
|
||||
def upgrade():
|
||||
bind = op.get_bind()
|
||||
session = Session(bind=bind)
|
||||
|
||||
# Add the new permissions on the migration itself
|
||||
add_pvms(session, NEW_PVMS)
|
||||
migrate_roles(session, PVM_MAP)
|
||||
try:
|
||||
session.commit()
|
||||
except SQLAlchemyError as ex:
|
||||
print(f"An error occurred while upgrading permissions: {ex}")
|
||||
session.rollback()
|
||||
|
||||
|
||||
def downgrade():
|
||||
bind = op.get_bind()
|
||||
session = Session(bind=bind)
|
||||
|
||||
# Add the old permissions on the migration itself
|
||||
add_pvms(session, get_reversed_new_pvms(PVM_MAP))
|
||||
migrate_roles(session, get_reversed_pvm_map(PVM_MAP))
|
||||
try:
|
||||
session.commit()
|
||||
except SQLAlchemyError as ex:
|
||||
print(f"An error occurred while downgrading permissions: {ex}")
|
||||
session.rollback()
|
||||
pass
|
|
@ -20,7 +20,7 @@ from flask_appbuilder.security.decorators import has_access
|
|||
from flask_babel import lazy_gettext as _
|
||||
|
||||
from superset import is_feature_enabled
|
||||
from superset.constants import RouteMethod
|
||||
from superset.constants import MODEL_VIEW_RW_METHOD_PERMISSION_MAP, RouteMethod
|
||||
from superset.models import core as models
|
||||
from superset.typing import FlaskResponse
|
||||
from superset.views.base import DeleteMixin, SupersetModelView
|
||||
|
@ -32,6 +32,9 @@ class CssTemplateModelView( # pylint: disable=too-many-ancestors
|
|||
datamodel = SQLAInterface(models.CssTemplate)
|
||||
include_route_methods = RouteMethod.CRUD_SET
|
||||
|
||||
class_permission_name = "CssTemplate"
|
||||
method_permission_name = MODEL_VIEW_RW_METHOD_PERMISSION_MAP
|
||||
|
||||
list_title = _("CSS Templates")
|
||||
show_title = _("Show CSS Template")
|
||||
add_title = _("Add CSS Template")
|
||||
|
@ -55,4 +58,7 @@ class CssTemplateAsyncModelView( # pylint: disable=too-many-ancestors
|
|||
CssTemplateModelView
|
||||
):
|
||||
include_route_methods = {RouteMethod.API_READ}
|
||||
class_permission_name = "CssTemplate"
|
||||
method_permission_name = MODEL_VIEW_RW_METHOD_PERMISSION_MAP
|
||||
|
||||
list_columns = ["template_name", "css"]
|
||||
|
|
|
@ -159,6 +159,20 @@ class TestCssTemplateApi(SupersetTestCase):
|
|||
rv = self.get_assert_metric(uri, "info")
|
||||
assert rv.status_code == 200
|
||||
|
||||
def test_info_security_css_template(self):
|
||||
"""
|
||||
CssTemplate API: Test info security
|
||||
"""
|
||||
self.login(username="admin")
|
||||
params = {"keys": ["permissions"]}
|
||||
uri = f"api/v1/css_template/_info?q={prison.dumps(params)}"
|
||||
rv = self.get_assert_metric(uri, "info")
|
||||
data = json.loads(rv.data.decode("utf-8"))
|
||||
assert rv.status_code == 200
|
||||
assert "can_read" in data["permissions"]
|
||||
assert "can_write" in data["permissions"]
|
||||
assert len(data["permissions"]) == 2
|
||||
|
||||
@pytest.mark.usefixtures("create_css_templates")
|
||||
def test_get_css_template(self):
|
||||
"""
|
||||
|
|
|
@ -47,6 +47,8 @@ from .dashboard_utils import (
|
|||
)
|
||||
from .fixtures.unicode_dashboard import load_unicode_dashboard_with_slice
|
||||
|
||||
NEW_SECURITY_CONVERGE_VIEWS = ("CssTemplate", "SavedQuery")
|
||||
|
||||
|
||||
def get_perm_tuples(role_name):
|
||||
perm_set = set()
|
||||
|
@ -611,18 +613,27 @@ class TestRolePermission(SupersetTestCase):
|
|||
self.logout()
|
||||
|
||||
def assert_can_read(self, view_menu, permissions_set):
|
||||
self.assertIn(("can_list", view_menu), permissions_set)
|
||||
if view_menu in NEW_SECURITY_CONVERGE_VIEWS:
|
||||
self.assertIn(("can_read", view_menu), permissions_set)
|
||||
else:
|
||||
self.assertIn(("can_list", view_menu), permissions_set)
|
||||
|
||||
def assert_can_write(self, view_menu, permissions_set):
|
||||
self.assertIn(("can_add", view_menu), permissions_set)
|
||||
self.assertIn(("can_delete", view_menu), permissions_set)
|
||||
self.assertIn(("can_edit", view_menu), permissions_set)
|
||||
if view_menu in NEW_SECURITY_CONVERGE_VIEWS:
|
||||
self.assertIn(("can_write", view_menu), permissions_set)
|
||||
else:
|
||||
self.assertIn(("can_add", view_menu), permissions_set)
|
||||
self.assertIn(("can_delete", view_menu), permissions_set)
|
||||
self.assertIn(("can_edit", view_menu), permissions_set)
|
||||
|
||||
def assert_cannot_write(self, view_menu, permissions_set):
|
||||
self.assertNotIn(("can_add", view_menu), permissions_set)
|
||||
self.assertNotIn(("can_delete", view_menu), permissions_set)
|
||||
self.assertNotIn(("can_edit", view_menu), permissions_set)
|
||||
self.assertNotIn(("can_save", view_menu), permissions_set)
|
||||
if view_menu in NEW_SECURITY_CONVERGE_VIEWS:
|
||||
self.assertNotIn(("can_write", view_menu), permissions_set)
|
||||
else:
|
||||
self.assertNotIn(("can_add", view_menu), permissions_set)
|
||||
self.assertNotIn(("can_delete", view_menu), permissions_set)
|
||||
self.assertNotIn(("can_edit", view_menu), permissions_set)
|
||||
self.assertNotIn(("can_save", view_menu), permissions_set)
|
||||
|
||||
def assert_can_all(self, view_menu, permissions_set):
|
||||
self.assert_can_read(view_menu, permissions_set)
|
||||
|
@ -661,7 +672,7 @@ class TestRolePermission(SupersetTestCase):
|
|||
|
||||
def assert_can_alpha(self, perm_set):
|
||||
self.assert_can_all("AnnotationLayerModelView", perm_set)
|
||||
self.assert_can_all("CssTemplateModelView", perm_set)
|
||||
self.assert_can_all("CssTemplate", perm_set)
|
||||
self.assert_can_all("TableModelView", perm_set)
|
||||
self.assert_can_read("QueryView", perm_set)
|
||||
self.assertIn(("can_import_dashboards", "Superset"), perm_set)
|
||||
|
|
Loading…
Reference in New Issue