Admin / Alpha permission cleanup and fixes. (#1645)

2016-11-18 19:53:19 -05:00 · 2016-11-18 19:53:19 -05:00 · 7a98f84890
parent 9b181280d4
commit 7a98f84890
1 changed files with 20 additions and 3 deletions
--- a/superset/security.py
+++ b/superset/security.py
@ -28,7 +28,6 @@ ADMIN_ONLY_VIEW_MENUES = {
 } | READ_ONLY_MODELVIEWS

 ADMIN_ONLY_PERMISSIONS = {
-    'all_datasource_access',
    'all_database_access',
    'datasource_access',
    'database_access',
@ -52,10 +51,21 @@ ALPHA_ONLY_PERMISSIONS = set([
    'datasource_access',
    'database_access',
    'muldelete',
+    'all_datasource_access',
 ])
 READ_ONLY_PRODUCT = set(
    product(READ_ONLY_PERMISSION, READ_ONLY_MODELVIEWS))

+OBJECT_SPEC_PERMISSIONS = set([
+    'database_access',
+    'datasource_access',
+    'metric_access',
+])
+
+
+def is_user_defined_permission(perm):
+    return perm.permission.name in OBJECT_SPEC_PERMISSIONS
+

 def get_or_create_main_db():
    logging.info("Creating database reference")
@ -99,11 +109,18 @@ def sync_role_definitions():

    logging.info("Syncing admin perms")
    for p in perms:
-        sm.add_permission_role(admin, p)
+        # admin has all_database_access and all_datasource_access
+        if is_user_defined_permission(p):
+            sm.del_permission_role(admin, p)
+        else:
+            sm.add_permission_role(admin, p)

    logging.info("Syncing alpha perms")
    for p in perms:
-        if (
+        # alpha has all_database_access and all_datasource_access
+        if is_user_defined_permission(p):
+            sm.del_permission_role(alpha, p)
+        elif (
                (
                    p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES and
                    p.permission.name not in ADMIN_ONLY_PERMISSIONS