From 7a98f848909ca2099e29d3f485fd299037142e65 Mon Sep 17 00:00:00 2001
From: Bogdan <b.kyryliuk@gmail.com>
Date: Fri, 18 Nov 2016 19:53:19 -0500
Subject: [PATCH] Admin / Alpha permission cleanup and fixes. (#1645)

---
 superset/security.py | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/superset/security.py b/superset/security.py
index 52fc67ea3b..463b609082 100644
--- a/superset/security.py
+++ b/superset/security.py
@@ -28,7 +28,6 @@ ADMIN_ONLY_VIEW_MENUES = {
 } | READ_ONLY_MODELVIEWS
 
 ADMIN_ONLY_PERMISSIONS = {
-    'all_datasource_access',
     'all_database_access',
     'datasource_access',
     'database_access',
@@ -52,10 +51,21 @@ ALPHA_ONLY_PERMISSIONS = set([
     'datasource_access',
     'database_access',
     'muldelete',
+    'all_datasource_access',
 ])
 READ_ONLY_PRODUCT = set(
     product(READ_ONLY_PERMISSION, READ_ONLY_MODELVIEWS))
 
+OBJECT_SPEC_PERMISSIONS = set([
+    'database_access',
+    'datasource_access',
+    'metric_access',
+])
+
+
+def is_user_defined_permission(perm):
+    return perm.permission.name in OBJECT_SPEC_PERMISSIONS
+
 
 def get_or_create_main_db():
     logging.info("Creating database reference")
@@ -99,11 +109,18 @@ def sync_role_definitions():
 
     logging.info("Syncing admin perms")
     for p in perms:
-        sm.add_permission_role(admin, p)
+        # admin has all_database_access and all_datasource_access
+        if is_user_defined_permission(p):
+            sm.del_permission_role(admin, p)
+        else:
+            sm.add_permission_role(admin, p)
 
     logging.info("Syncing alpha perms")
     for p in perms:
-        if (
+        # alpha has all_database_access and all_datasource_access
+        if is_user_defined_permission(p):
+            sm.del_permission_role(alpha, p)
+        elif (
                 (
                     p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES and
                     p.permission.name not in ADMIN_ONLY_PERMISSIONS