pt
/
superset
mirror of https://github.com/apache/superset.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: Adds a key-value endpoint to store charts form data (#17882) 

* feat: Adds a key-value endpoint to store charts form data

* Fixes linting problems

* Removes the query_params from the endpoints

* Refactors the commands

* Removes unused imports

* Changes the parameters to use dataclass

* Adds more access tests

* Gets the first dataset while testing

* Adds unit tests for the check_access function

* Changes the can_access check

* Always check for dataset access
This commit is contained in:
Michael S. Molina 2022-01-20 16:27:57 -03:00 committed by GitHub
parent 1f8129241b
commit 959b15eeca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 1178 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
superset/charts/commands/exceptions.py
View File

@ -127,6 +127,10 @@ class ChartDeleteFailedReportsExistError(ChartDeleteFailedError):
message = _("There are associated alerts or reports")
class ChartAccessDeniedError(ForbiddenError):
message = _("You don't have access to this chart.")
class ChartForbiddenError(ForbiddenError):
message = _("Changing this chart is forbidden")

16
superset/charts/form_data/__init__.py Normal file
View File

@ -0,0 +1,16 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

259
superset/charts/form_data/api.py Normal file
View File

@ -0,0 +1,259 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import logging
from typing import Type
from flask import Response
from flask_appbuilder.api import expose, protect, safe
from superset.charts.form_data.commands.create import CreateFormDataCommand
from superset.charts.form_data.commands.delete import DeleteFormDataCommand
from superset.charts.form_data.commands.get import GetFormDataCommand
from superset.charts.form_data.commands.update import UpdateFormDataCommand
from superset.extensions import event_logger
from superset.key_value.api import KeyValueRestApi
logger = logging.getLogger(__name__)
class ChartFormDataRestApi(KeyValueRestApi):
class_permission_name = "ChartFormDataRestApi"
resource_name = "chart"
openapi_spec_tag = "Chart Form Data"
def get_create_command(self) -> Type[CreateFormDataCommand]:
return CreateFormDataCommand
def get_update_command(self) -> Type[UpdateFormDataCommand]:
return UpdateFormDataCommand
def get_get_command(self) -> Type[GetFormDataCommand]:
return GetFormDataCommand
def get_delete_command(self) -> Type[DeleteFormDataCommand]:
return DeleteFormDataCommand
@expose("/<int:pk>/form_data", methods=["POST"])
@protect()
@safe
@event_logger.log_this_with_context(
action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.post",
log_to_statsd=False,
)
def post(self, pk: int) -> Response:
"""Stores a new value.
---
post:
description: >-
Stores a new value.
parameters:
- in: path
schema:
type: integer
name: pk
- in: query
schema:
type: integer
name: dataset_id
required: true
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/KeyValuePostSchema'
responses:
201:
description: The value was stored successfully.
content:
application/json:
schema:
type: object
properties:
key:
type: string
description: The key to retrieve the value.
400:
$ref: '#/components/responses/400'
401:
$ref: '#/components/responses/401'
422:
$ref: '#/components/responses/422'
500:
$ref: '#/components/responses/500'
"""
return super().post(pk)
@expose("/<int:pk>/form_data/<string:key>", methods=["PUT"])
@protect()
@safe
@event_logger.log_this_with_context(
action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.put",
log_to_statsd=False,
)
def put(self, pk: int, key: str) -> Response:
"""Updates an existing value.
---
put:
description: >-
Updates an existing value.
parameters:
- in: path
schema:
type: integer
name: pk
- in: path
schema:
type: string
name: key
- in: query
schema:
type: integer
name: dataset_id
required: true
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/KeyValuePutSchema'
responses:
200:
description: The value was stored successfully.
content:
application/json:
schema:
type: object
properties:
message:
type: string
description: The result of the operation
400:
$ref: '#/components/responses/400'
401:
$ref: '#/components/responses/401'
404:
$ref: '#/components/responses/404'
422:
$ref: '#/components/responses/422'
500:
$ref: '#/components/responses/500'
"""
return super().put(pk, key)
@expose("/<int(signed=True):pk>/form_data/<string:key>", methods=["GET"])
@protect()
@safe
@event_logger.log_this_with_context(
action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.get",
log_to_statsd=False,
)
def get(self, pk: int, key: str) -> Response:
"""Retrives a value.
---
get:
description: >-
Retrives a value.
parameters:
- in: path
schema:
type: integer
name: pk
- in: path
schema:
type: string
name: key
- in: query
schema:
type: integer
name: dataset_id
required: true
responses:
200:
description: Returns the stored value.
content:
application/json:
schema:
type: object
properties:
value:
type: string
description: The stored value
400:
$ref: '#/components/responses/400'
401:
$ref: '#/components/responses/401'
404:
$ref: '#/components/responses/404'
422:
$ref: '#/components/responses/422'
500:
$ref: '#/components/responses/500'
"""
return super().get(pk, key)
@expose("/<int:pk>/form_data/<string:key>", methods=["DELETE"])
@protect()
@safe
@event_logger.log_this_with_context(
action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.delete",
log_to_statsd=False,
)
def delete(self, pk: int, key: str) -> Response:
"""Deletes a value.
---
delete:
description: >-
Deletes a value.
parameters:
- in: path
schema:
type: integer
name: pk
- in: path
schema:
type: string
name: key
description: The value key.
- in: query
schema:
type: integer
name: dataset_id
required: true
responses:
200:
description: Deleted the stored value.
content:
application/json:
schema:
type: object
properties:
message:
type: string
description: The result of the operation
400:
$ref: '#/components/responses/400'
401:
$ref: '#/components/responses/401'
404:
$ref: '#/components/responses/404'
422:
$ref: '#/components/responses/422'
500:
$ref: '#/components/responses/500'
"""
return super().delete(pk, key)

16
superset/charts/form_data/commands/__init__.py Normal file
View File

@ -0,0 +1,16 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

35
superset/charts/form_data/commands/create.py Normal file
View File

@ -0,0 +1,35 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from superset.charts.form_data.utils import check_access, get_dataset_id
from superset.extensions import cache_manager
from superset.key_value.commands.create import CreateKeyValueCommand
from superset.key_value.commands.entry import Entry
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.utils import cache_key
class CreateFormDataCommand(CreateKeyValueCommand):
def create(self, cmd_params: CommandParameters) -> bool:
check_access(cmd_params)
resource_id = cmd_params.resource_id
actor = cmd_params.actor
key = cache_key(resource_id or get_dataset_id(cmd_params), cmd_params.key)
value = cmd_params.value
if value:
entry: Entry = {"owner": actor.get_user_id(), "value": value}
return cache_manager.chart_form_data_cache.set(key, entry)
return False

37
superset/charts/form_data/commands/delete.py Normal file
View File

@ -0,0 +1,37 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from superset.charts.form_data.utils import check_access, get_dataset_id
from superset.extensions import cache_manager
from superset.key_value.commands.delete import DeleteKeyValueCommand
from superset.key_value.commands.entry import Entry
from superset.key_value.commands.exceptions import KeyValueAccessDeniedError
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.utils import cache_key
class DeleteFormDataCommand(DeleteKeyValueCommand):
def delete(self, cmd_params: CommandParameters) -> bool:
check_access(cmd_params)
resource_id = cmd_params.resource_id
actor = cmd_params.actor
key = cache_key(resource_id or get_dataset_id(cmd_params), cmd_params.key)
entry: Entry = cache_manager.chart_form_data_cache.get(key)
if entry:
if entry["owner"] != actor.get_user_id():
raise KeyValueAccessDeniedError()
return cache_manager.chart_form_data_cache.delete(key)
return True

44
superset/charts/form_data/commands/get.py Normal file
View File

@ -0,0 +1,44 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from typing import Optional
from flask import current_app as app
from superset.charts.form_data.utils import check_access, get_dataset_id
from superset.extensions import cache_manager
from superset.key_value.commands.entry import Entry
from superset.key_value.commands.get import GetKeyValueCommand
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.utils import cache_key
class GetFormDataCommand(GetKeyValueCommand):
def __init__(self, cmd_params: CommandParameters) -> None:
super().__init__(cmd_params)
config = app.config["CHART_FORM_DATA_CACHE_CONFIG"]
self._refresh_timeout = config.get("REFRESH_TIMEOUT_ON_RETRIEVAL")
def get(self, cmd_params: CommandParameters) -> Optional[str]:
check_access(cmd_params)
resource_id = cmd_params.resource_id
key = cache_key(resource_id or get_dataset_id(cmd_params), cmd_params.key)
entry: Entry = cache_manager.chart_form_data_cache.get(key)
if entry:
if self._refresh_timeout:
cache_manager.chart_form_data_cache.set(key, entry)
return entry["value"]
return None

40
superset/charts/form_data/commands/update.py Normal file
View File

@ -0,0 +1,40 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from superset.charts.form_data.utils import check_access, get_dataset_id
from superset.extensions import cache_manager
from superset.key_value.commands.entry import Entry
from superset.key_value.commands.exceptions import KeyValueAccessDeniedError
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.commands.update import UpdateKeyValueCommand
from superset.key_value.utils import cache_key
class UpdateFormDataCommand(UpdateKeyValueCommand):
def update(self, cmd_params: CommandParameters) -> bool:
check_access(cmd_params)
resource_id = cmd_params.resource_id
actor = cmd_params.actor
key = cache_key(resource_id or get_dataset_id(cmd_params), cmd_params.key)
value = cmd_params.value
entry: Entry = cache_manager.chart_form_data_cache.get(key)
if entry and value:
user_id = actor.get_user_id()
if entry["owner"] != user_id:
raise KeyValueAccessDeniedError()
new_entry: Entry = {"owner": actor.get_user_id(), "value": value}
return cache_manager.chart_form_data_cache.set(key, new_entry)
return False

70
superset/charts/form_data/utils.py Normal file
View File

@ -0,0 +1,70 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from typing import Optional
from superset import security_manager
from superset.charts.commands.exceptions import (
ChartAccessDeniedError,
ChartNotFoundError,
)
from superset.charts.dao import ChartDAO
from superset.datasets.commands.exceptions import (
DatasetAccessDeniedError,
DatasetNotFoundError,
)
from superset.datasets.dao import DatasetDAO
from superset.key_value.commands.parameters import CommandParameters
from superset.views.base import is_user_admin
from superset.views.utils import is_owner
def get_dataset_id(cmd_params: CommandParameters) -> Optional[str]:
query_params = cmd_params.query_params
if query_params:
return query_params.get("dataset_id")
return None
def check_dataset_access(cmd_params: CommandParameters) -> Optional[bool]:
dataset_id = get_dataset_id(cmd_params)
if dataset_id:
dataset = DatasetDAO.find_by_id(int(dataset_id))
if dataset:
can_access_datasource = security_manager.can_access_datasource(dataset)
if can_access_datasource:
return True
raise DatasetAccessDeniedError()
raise DatasetNotFoundError()
def check_access(cmd_params: CommandParameters) -> Optional[bool]:
resource_id = cmd_params.resource_id
actor = cmd_params.actor
check_dataset_access(cmd_params)
if resource_id == 0:
return True
chart = ChartDAO.find_by_id(resource_id)
if chart:
can_access_chart = (
is_user_admin()
or is_owner(chart, actor)
or security_manager.can_access("can_read", "Chart")
)
if can_access_chart:
return True
raise ChartAccessDeniedError()
raise ChartNotFoundError()

11
superset/config.py
View File

@ -577,13 +577,22 @@ DATA_CACHE_CONFIG: CacheConfig = {"CACHE_TYPE": "null"}
# Cache for filters state
FILTER_STATE_CACHE_CONFIG: CacheConfig = {
"CACHE_TYPE": "filesystem",
"CACHE_TYPE": "FileSystemCache",
"CACHE_DIR": os.path.join(DATA_DIR, "cache"),
"CACHE_DEFAULT_TIMEOUT": int(timedelta(days=90).total_seconds()),
"CACHE_THRESHOLD": 0,
"REFRESH_TIMEOUT_ON_RETRIEVAL": True,
}
# Cache for chart form data
CHART_FORM_DATA_CACHE_CONFIG: CacheConfig = {
"CACHE_TYPE": "FileSystemCache",
"CACHE_DIR": os.path.join(DATA_DIR, "cache"),
"CACHE_DEFAULT_TIMEOUT": int(timedelta(days=7).total_seconds()),
"CACHE_THRESHOLD": 0,
"REFRESH_TIMEOUT_ON_RETRIEVAL": True,
}
# store cache keys by datasource UID (via CacheKey) for custom processing/invalidation
STORE_CACHE_KEYS_IN_METADATA_DB = False

4
superset/dashboards/filter_state/api.py
View File

@ -31,9 +31,9 @@ logger = logging.getLogger(__name__)
class DashboardFilterStateRestApi(KeyValueRestApi):
class_permission_name = "FilterStateRestApi"
class_permission_name = "DashboardFilterStateRestApi"
resource_name = "dashboard"
openapi_spec_tag = "Filter State"
openapi_spec_tag = "Dashboard Filter State"
def get_create_command(self) -> Type[CreateFilterStateCommand]:
return CreateFilterStateCommand

21
superset/dashboards/filter_state/commands/create.py
View File

@ -14,25 +14,22 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from typing import Optional
from flask_appbuilder.security.sqla.models import User
from superset.dashboards.dao import DashboardDAO
from superset.dashboards.filter_state.commands.entry import Entry
from superset.extensions import cache_manager
from superset.key_value.commands.create import CreateKeyValueCommand
from superset.key_value.commands.entry import Entry
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.utils import cache_key
class CreateFilterStateCommand(CreateKeyValueCommand):
def create(
self, actor: User, resource_id: int, key: str, value: str
) -> Optional[bool]:
def create(self, cmd_params: CommandParameters) -> bool:
resource_id = cmd_params.resource_id
actor = cmd_params.actor
key = cache_key(resource_id, cmd_params.key)
value = cmd_params.value
dashboard = DashboardDAO.get_by_id_or_slug(str(resource_id))
if dashboard:
if dashboard and value:
entry: Entry = {"owner": actor.get_user_id(), "value": value}
return cache_manager.filter_state_cache.set(
cache_key(resource_id, key), entry
)
return cache_manager.filter_state_cache.set(key, entry)
return False

20
superset/dashboards/filter_state/commands/delete.py
View File

@ -14,29 +14,25 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from typing import Optional
from flask_appbuilder.security.sqla.models import User
from superset.dashboards.dao import DashboardDAO
from superset.dashboards.filter_state.commands.entry import Entry
from superset.extensions import cache_manager
from superset.key_value.commands.delete import DeleteKeyValueCommand
from superset.key_value.commands.entry import Entry
from superset.key_value.commands.exceptions import KeyValueAccessDeniedError
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.utils import cache_key
class DeleteFilterStateCommand(DeleteKeyValueCommand):
def delete(self, actor: User, resource_id: int, key: str) -> Optional[bool]:
def delete(self, cmd_params: CommandParameters) -> bool:
resource_id = cmd_params.resource_id
actor = cmd_params.actor
key = cache_key(resource_id, cmd_params.key)
dashboard = DashboardDAO.get_by_id_or_slug(str(resource_id))
if dashboard:
entry: Entry = cache_manager.filter_state_cache.get(
cache_key(resource_id, key)
)
entry: Entry = cache_manager.filter_state_cache.get(key)
if entry:
if entry["owner"] != actor.get_user_id():
raise KeyValueAccessDeniedError()
return cache_manager.filter_state_cache.delete(
cache_key(resource_id, key)
)
return cache_manager.filter_state_cache.delete(key)
return False

16
superset/dashboards/filter_state/commands/get.py
View File

@ -16,16 +16,26 @@
# under the License.
from typing import Optional
from flask import current_app as app
from superset.dashboards.dao import DashboardDAO
from superset.extensions import cache_manager
from superset.key_value.commands.get import GetKeyValueCommand
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.utils import cache_key
class GetFilterStateCommand(GetKeyValueCommand):
def get(self, resource_id: int, key: str, refresh_timeout: bool) -> Optional[str]:
def __init__(self, cmd_params: CommandParameters) -> None:
super().__init__(cmd_params)
config = app.config["FILTER_STATE_CACHE_CONFIG"]
self._refresh_timeout = config.get("REFRESH_TIMEOUT_ON_RETRIEVAL")
def get(self, cmd_params: CommandParameters) -> Optional[str]:
resource_id = cmd_params.resource_id
key = cache_key(resource_id, cmd_params.key)
DashboardDAO.get_by_id_or_slug(str(resource_id))
entry = cache_manager.filter_state_cache.get(cache_key(resource_id, key)) or {}
if entry and refresh_timeout:
entry = cache_manager.filter_state_cache.get(key) or {}
if entry and self._refresh_timeout:
cache_manager.filter_state_cache.set(key, entry)
return entry.get("value")

25
superset/dashboards/filter_state/commands/update.py
View File

@ -14,33 +14,28 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from typing import Optional
from flask_appbuilder.security.sqla.models import User
from superset.dashboards.dao import DashboardDAO
from superset.dashboards.filter_state.commands.entry import Entry
from superset.extensions import cache_manager
from superset.key_value.commands.entry import Entry
from superset.key_value.commands.exceptions import KeyValueAccessDeniedError
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.commands.update import UpdateKeyValueCommand
from superset.key_value.utils import cache_key
class UpdateFilterStateCommand(UpdateKeyValueCommand):
def update(
self, actor: User, resource_id: int, key: str, value: str
) -> Optional[bool]:
def update(self, cmd_params: CommandParameters) -> bool:
resource_id = cmd_params.resource_id
actor = cmd_params.actor
key = cache_key(resource_id, cmd_params.key)
value = cmd_params.value
dashboard = DashboardDAO.get_by_id_or_slug(str(resource_id))
if dashboard:
entry: Entry = cache_manager.filter_state_cache.get(
cache_key(resource_id, key)
)
if dashboard and value:
entry: Entry = cache_manager.filter_state_cache.get(key)
if entry:
user_id = actor.get_user_id()
if entry["owner"] != user_id:
raise KeyValueAccessDeniedError()
new_entry: Entry = {"owner": actor.get_user_id(), "value": value}
return cache_manager.filter_state_cache.set(
cache_key(resource_id, key), new_entry
)
return cache_manager.filter_state_cache.set(key, new_entry)
return False

4
superset/datasets/commands/exceptions.py
View File

@ -179,3 +179,7 @@ class DatasetForbiddenError(ForbiddenError):
class DatasetImportError(ImportFailedError):
message = _("Import dataset failed for an unknown reason")
class DatasetAccessDeniedError(ForbiddenError):
message = _("You don't have access to this dataset.")

8
superset/initialization/__init__.py
View File

@ -119,6 +119,7 @@ class SupersetAppInitializer: # pylint: disable=too-many-public-methods
from superset.cachekeys.api import CacheRestApi
from superset.charts.api import ChartRestApi
from superset.charts.data.api import ChartDataRestApi
from superset.charts.form_data.api import ChartFormDataRestApi
from superset.connectors.druid.views import (
Druid,
DruidClusterModelView,
@ -203,18 +204,19 @@ class SupersetAppInitializer: # pylint: disable=too-many-public-methods
appbuilder.add_api(CacheRestApi)
appbuilder.add_api(ChartRestApi)
appbuilder.add_api(ChartDataRestApi)
appbuilder.add_api(ChartFormDataRestApi)
appbuilder.add_api(CssTemplateRestApi)
appbuilder.add_api(DashboardFilterStateRestApi)
appbuilder.add_api(DashboardRestApi)
appbuilder.add_api(DatabaseRestApi)
appbuilder.add_api(DatasetRestApi)
appbuilder.add_api(DatasetColumnsRestApi)
appbuilder.add_api(DatasetMetricRestApi)
appbuilder.add_api(FilterSetRestApi)
appbuilder.add_api(QueryRestApi)
appbuilder.add_api(SavedQueryRestApi)
appbuilder.add_api(ReportScheduleRestApi)
appbuilder.add_api(ReportExecutionLogRestApi)
appbuilder.add_api(FilterSetRestApi)
appbuilder.add_api(DashboardFilterStateRestApi)
appbuilder.add_api(SavedQueryRestApi)
#
# Setup regular views
#

112
superset/key_value/api.py
View File

@ -19,17 +19,27 @@ from abc import ABC, abstractmethod
from typing import Any
from apispec import APISpec
from apispec.exceptions import DuplicateComponentNameError
from flask import g, request, Response
from flask_appbuilder.api import BaseApi
from marshmallow import ValidationError
from superset.charts.commands.exceptions import (
ChartAccessDeniedError,
ChartNotFoundError,
)
from superset.constants import MODEL_API_RW_METHOD_PERMISSION_MAP, RouteMethod
from superset.dashboards.commands.exceptions import (
DashboardAccessDeniedError,
DashboardNotFoundError,
)
from superset.datasets.commands.exceptions import (
DatasetAccessDeniedError,
DatasetNotFoundError,
)
from superset.exceptions import InvalidPayloadFormatError
from superset.key_value.commands.exceptions import KeyValueAccessDeniedError
from superset.key_value.commands.parameters import CommandParameters
from superset.key_value.schemas import KeyValuePostSchema, KeyValuePutSchema
logger = logging.getLogger(__name__)
@ -48,12 +58,15 @@ class KeyValueRestApi(BaseApi, ABC):
allow_browser_login = True
def add_apispec_components(self, api_spec: APISpec) -> None:
api_spec.components.schema(
KeyValuePostSchema.__name__, schema=KeyValuePostSchema,
)
api_spec.components.schema(
KeyValuePutSchema.__name__, schema=KeyValuePutSchema,
)
try:
api_spec.components.schema(
KeyValuePostSchema.__name__, schema=KeyValuePostSchema,
)
api_spec.components.schema(
KeyValuePutSchema.__name__, schema=KeyValuePutSchema,
)
except DuplicateComponentNameError:
pass
super().add_apispec_components(api_spec)
def post(self, pk: int) -> Response:
@ -61,52 +74,91 @@ class KeyValueRestApi(BaseApi, ABC):
raise InvalidPayloadFormatError("Request is not JSON")
try:
item = self.add_model_schema.load(request.json)
key = self.get_create_command()(g.user, pk, item["value"]).run()
args = CommandParameters(
actor=g.user,
resource_id=pk,
value=item["value"],
query_params=request.args,
)
key = self.get_create_command()(args).run()
return self.response(201, key=key)
except ValidationError as error:
return self.response_400(message=error.messages)
except (DashboardAccessDeniedError, KeyValueAccessDeniedError):
return self.response_403()
except DashboardNotFoundError:
return self.response_404()
except ValidationError as ex:
return self.response(400, message=ex.messages)
except (
ChartAccessDeniedError,
DashboardAccessDeniedError,
DatasetAccessDeniedError,
KeyValueAccessDeniedError,
) as ex:
return self.response(403, message=str(ex))
except (ChartNotFoundError, DashboardNotFoundError, DatasetNotFoundError) as ex:
return self.response(404, message=str(ex))
def put(self, pk: int, key: str) -> Response:
if not request.is_json:
raise InvalidPayloadFormatError("Request is not JSON")
try:
item = self.edit_model_schema.load(request.json)
result = self.get_update_command()(g.user, pk, key, item["value"]).run()
args = CommandParameters(
actor=g.user,
resource_id=pk,
key=key,
value=item["value"],
query_params=request.args,
)
result = self.get_update_command()(args).run()
if not result:
return self.response_404()
return self.response(200, message="Value updated successfully.")
except ValidationError as error:
return self.response_400(message=error.messages)
except (DashboardAccessDeniedError, KeyValueAccessDeniedError):
return self.response_403()
except DashboardNotFoundError:
return self.response_404()
except ValidationError as ex:
return self.response(400, message=ex.messages)
except (
ChartAccessDeniedError,
DashboardAccessDeniedError,
DatasetAccessDeniedError,
KeyValueAccessDeniedError,
) as ex:
return self.response(403, message=str(ex))
except (ChartNotFoundError, DashboardNotFoundError, DatasetNotFoundError) as ex:
return self.response(404, message=str(ex))
def get(self, pk: int, key: str) -> Response:
try:
value = self.get_get_command()(g.user, pk, key).run()
args = CommandParameters(
actor=g.user, resource_id=pk, key=key, query_params=request.args
)
value = self.get_get_command()(args).run()
if not value:
return self.response_404()
return self.response(200, value=value)
except (DashboardAccessDeniedError, KeyValueAccessDeniedError):
return self.response_403()
except DashboardNotFoundError:
return self.response_404()
except (
ChartAccessDeniedError,
DashboardAccessDeniedError,
DatasetAccessDeniedError,
KeyValueAccessDeniedError,
) as ex:
return self.response(403, message=str(ex))
except (ChartNotFoundError, DashboardNotFoundError, DatasetNotFoundError) as ex:
return self.response(404, message=str(ex))
def delete(self, pk: int, key: str) -> Response:
try:
result = self.get_delete_command()(g.user, pk, key).run()
args = CommandParameters(
actor=g.user, resource_id=pk, key=key, query_params=request.args
)
result = self.get_delete_command()(args).run()
if not result:
return self.response_404()
return self.response(200, message="Deleted successfully")
except (DashboardAccessDeniedError, KeyValueAccessDeniedError):
return self.response_403()
except DashboardNotFoundError:
return self.response_404()
except (
ChartAccessDeniedError,
DashboardAccessDeniedError,
DatasetAccessDeniedError,
KeyValueAccessDeniedError,
) as ex:
return self.response(403, message=str(ex))
except (ChartNotFoundError, DashboardNotFoundError, DatasetNotFoundError) as ex:
return self.response(404, message=str(ex))
@abstractmethod
def get_create_command(self) -> Any:

21
superset/key_value/commands/create.py
View File

@ -17,30 +17,25 @@
import logging
from abc import ABC, abstractmethod
from secrets import token_urlsafe
from typing import Optional
from flask_appbuilder.models.sqla import Model
from flask_appbuilder.security.sqla.models import User
from sqlalchemy.exc import SQLAlchemyError
from superset.commands.base import BaseCommand
from superset.key_value.commands.exceptions import KeyValueCreateFailedError
from superset.key_value.commands.parameters import CommandParameters
logger = logging.getLogger(__name__)
class CreateKeyValueCommand(BaseCommand, ABC):
def __init__(
self, actor: User, resource_id: int, value: str,
):
self._actor = actor
self._resource_id = resource_id
self._value = value
def __init__(self, cmd_params: CommandParameters):
self._cmd_params = cmd_params
def run(self) -> Model:
def run(self) -> str:
try:
key = token_urlsafe(48)
self.create(self._actor, self._resource_id, key, self._value)
self._cmd_params.key = key
self.create(self._cmd_params)
return key
except SQLAlchemyError as ex:
logger.exception("Error running create command")
@ -50,7 +45,5 @@ class CreateKeyValueCommand(BaseCommand, ABC):
pass
@abstractmethod
def create(
self, actor: User, resource_id: int, key: str, value: str
) -> Optional[bool]:
def create(self, cmd_params: CommandParameters) -> bool:
...

16
superset/key_value/commands/delete.py
View File

@ -16,27 +16,23 @@
# under the License.
import logging
from abc import ABC, abstractmethod
from typing import Optional
from flask_appbuilder.models.sqla import Model
from flask_appbuilder.security.sqla.models import User
from sqlalchemy.exc import SQLAlchemyError
from superset.commands.base import BaseCommand
from superset.key_value.commands.exceptions import KeyValueDeleteFailedError
from superset.key_value.commands.parameters import CommandParameters
logger = logging.getLogger(__name__)
class DeleteKeyValueCommand(BaseCommand, ABC):
def __init__(self, actor: User, resource_id: int, key: str):
self._actor = actor
self._resource_id = resource_id
self._key = key
def __init__(self, cmd_params: CommandParameters):
self._cmd_params = cmd_params
def run(self) -> Model:
def run(self) -> bool:
try:
return self.delete(self._actor, self._resource_id, self._key)
return self.delete(self._cmd_params)
except SQLAlchemyError as ex:
logger.exception("Error running delete command")
raise KeyValueDeleteFailedError() from ex
@ -45,5 +41,5 @@ class DeleteKeyValueCommand(BaseCommand, ABC):
pass
@abstractmethod
def delete(self, actor: User, resource_id: int, key: str) -> Optional[bool]:
def delete(self, cmd_params: CommandParameters) -> bool:
...

0
superset/dashboards/filter_state/commands/entry.py → superset/key_value/commands/entry.py
View File

18
superset/key_value/commands/get.py
View File

@ -18,28 +18,22 @@ import logging
from abc import ABC, abstractmethod
from typing import Optional
from flask import current_app as app
from flask_appbuilder.models.sqla import Model
from flask_appbuilder.security.sqla.models import User
from sqlalchemy.exc import SQLAlchemyError
from superset.commands.base import BaseCommand
from superset.key_value.commands.exceptions import KeyValueGetFailedError
from superset.key_value.commands.parameters import CommandParameters
logger = logging.getLogger(__name__)
class GetKeyValueCommand(BaseCommand, ABC):
def __init__(self, actor: User, resource_id: int, key: str):
self._actor = actor
self._resource_id = resource_id
self._key = key
def __init__(self, cmd_params: CommandParameters):
self._cmd_params = cmd_params
def run(self) -> Model:
def run(self) -> Optional[str]:
try:
config = app.config["FILTER_STATE_CACHE_CONFIG"]
refresh_timeout = config.get("REFRESH_TIMEOUT_ON_RETRIEVAL")
return self.get(self._resource_id, self._key, refresh_timeout)
return self.get(self._cmd_params)
except SQLAlchemyError as ex:
logger.exception("Error running get command")
raise KeyValueGetFailedError() from ex
@ -48,5 +42,5 @@ class GetKeyValueCommand(BaseCommand, ABC):
pass
@abstractmethod
def get(self, resource_id: int, key: str, refresh_timeout: bool) -> Optional[str]:
def get(self, cmd_params: CommandParameters) -> Optional[str]:
...

29
superset/key_value/commands/parameters.py Normal file
View File

@ -0,0 +1,29 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from dataclasses import dataclass
from typing import Dict, Optional
from flask_appbuilder.security.sqla.models import User
@dataclass
class CommandParameters:
actor: User
resource_id: int
query_params: Dict[str, str]
key: Optional[str] = None
value: Optional[str] = None

19
superset/key_value/commands/update.py
View File

@ -16,30 +16,25 @@
# under the License.
import logging
from abc import ABC, abstractmethod
from typing import Optional
from flask_appbuilder.models.sqla import Model
from flask_appbuilder.security.sqla.models import User
from sqlalchemy.exc import SQLAlchemyError
from superset.commands.base import BaseCommand
from superset.key_value.commands.exceptions import KeyValueUpdateFailedError
from superset.key_value.commands.parameters import CommandParameters
logger = logging.getLogger(__name__)
class UpdateKeyValueCommand(BaseCommand, ABC):
def __init__(
self, actor: User, resource_id: int, key: str, value: str,
self, cmd_params: CommandParameters,
):
self._actor = actor
self._resource_id = resource_id
self._key = key
self._value = value
self._parameters = cmd_params
def run(self) -> Model:
def run(self) -> bool:
try:
return self.update(self._actor, self._resource_id, self._key, self._value)
return self.update(self._parameters)
except SQLAlchemyError as ex:
logger.exception("Error running update command")
raise KeyValueUpdateFailedError() from ex
@ -48,7 +43,5 @@ class UpdateKeyValueCommand(BaseCommand, ABC):
pass
@abstractmethod
def update(
self, actor: User, resource_id: int, key: str, value: str
) -> Optional[bool]:
def update(self, cmd_params: CommandParameters) -> bool:
...

12
superset/utils/cache_manager.py
View File

@ -26,6 +26,7 @@ class CacheManager:
self._data_cache = Cache()
self._thumbnail_cache = Cache()
self._filter_state_cache = Cache()
self._chart_form_data_cache = Cache()
def init_app(self, app: Flask) -> None:
self._cache.init_app(
@ -56,6 +57,13 @@ class CacheManager:
**app.config["FILTER_STATE_CACHE_CONFIG"],
},
)
self._chart_form_data_cache.init_app(
app,
{
"CACHE_DEFAULT_TIMEOUT": app.config["CACHE_DEFAULT_TIMEOUT"],
**app.config["CHART_FORM_DATA_CACHE_CONFIG"],
},
)
@property
def data_cache(self) -> Cache:
@ -72,3 +80,7 @@ class CacheManager:
@property
def filter_state_cache(self) -> Cache:
return self._filter_state_cache
@property
def chart_form_data_cache(self) -> Cache:
return self._chart_form_data_cache

16
tests/integration_tests/charts/form_data/__init__.py Normal file
View File

@ -0,0 +1,16 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

245
tests/integration_tests/charts/form_data/api_tests.py Normal file
View File

@ -0,0 +1,245 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import json
from unittest.mock import patch
import pytest
from flask_appbuilder.security.sqla.models import User
from sqlalchemy.orm import Session
from superset.connectors.sqla.models import SqlaTable
from superset.datasets.commands.exceptions import DatasetAccessDeniedError
from superset.extensions import cache_manager
from superset.key_value.commands.entry import Entry
from superset.key_value.utils import cache_key
from superset.models.slice import Slice
from tests.integration_tests.base_tests import login
from tests.integration_tests.fixtures.world_bank_dashboard import (
load_world_bank_dashboard_with_slices,
load_world_bank_data,
)
from tests.integration_tests.test_app import app
key = "test-key"
value = "test"
@pytest.fixture
def client():
with app.test_client() as client:
with app.app_context():
yield client
@pytest.fixture
def chart_id(load_world_bank_dashboard_with_slices) -> int:
with app.app_context() as ctx:
session: Session = ctx.app.appbuilder.get_session
chart = session.query(Slice).filter_by(slice_name="World's Population").one()
return chart.id
@pytest.fixture
def admin_id() -> int:
with app.app_context() as ctx:
session: Session = ctx.app.appbuilder.get_session
admin = session.query(User).filter_by(username="admin").one()
return admin.id
@pytest.fixture
def dataset_id() -> int:
with app.app_context() as ctx:
session: Session = ctx.app.appbuilder.get_session
dataset = (
session.query(SqlaTable)
.filter_by(table_name="wb_health_population")
.first()
)
return dataset.id
@pytest.fixture(autouse=True)
def cache(chart_id, admin_id, dataset_id):
app.config["CHART_FORM_DATA_CACHE_CONFIG"] = {"CACHE_TYPE": "SimpleCache"}
cache_manager.init_app(app)
entry: Entry = {"owner": admin_id, "value": value}
cache_manager.chart_form_data_cache.set(cache_key(chart_id, key), entry)
cache_manager.chart_form_data_cache.set(cache_key(dataset_id, key), entry)
def test_post(client, chart_id: int, dataset_id: int):
login(client, "admin")
payload = {
"value": value,
}
resp = client.post(
f"api/v1/chart/{chart_id}/form_data?dataset_id={dataset_id}", json=payload
)
assert resp.status_code == 201
def test_post_bad_request(client, chart_id: int, dataset_id: int):
login(client, "admin")
payload = {
"value": 1234,
}
resp = client.post(
f"api/v1/chart/{chart_id}/form_data?dataset_id={dataset_id}", json=payload
)
assert resp.status_code == 400
def test_post_access_denied(client, chart_id: int, dataset_id: int):
login(client, "gamma")
payload = {
"value": value,
}
resp = client.post(
f"api/v1/chart/{chart_id}/form_data?dataset_id={dataset_id}", json=payload
)
assert resp.status_code == 404
def test_put(client, chart_id: int, dataset_id: int):
login(client, "admin")
payload = {
"value": "new value",
}
resp = client.put(
f"api/v1/chart/{chart_id}/form_data/{key}?dataset_id={dataset_id}", json=payload
)
assert resp.status_code == 200
def test_put_bad_request(client, chart_id: int, dataset_id: int):
login(client, "admin")
payload = {
"value": 1234,
}
resp = client.put(
f"api/v1/chart/{chart_id}/form_data/{key}?dataset_id={dataset_id}", json=payload
)
assert resp.status_code == 400
def test_put_access_denied(client, chart_id: int, dataset_id: int):
login(client, "gamma")
payload = {
"value": "new value",
}
resp = client.put(
f"api/v1/chart/{chart_id}/form_data/{key}?dataset_id={dataset_id}", json=payload
)
assert resp.status_code == 404
def test_put_not_owner(client, chart_id: int, dataset_id: int):
login(client, "gamma")
payload = {
"value": "new value",
}
resp = client.put(
f"api/v1/chart/{chart_id}/form_data/{key}?dataset_id={dataset_id}", json=payload
)
assert resp.status_code == 404
def test_get_key_not_found(client, chart_id: int, dataset_id: int):
login(client, "admin")
resp = client.get(
f"api/v1/chart/{chart_id}/form_data/unknown-key?dataset_id={dataset_id}"
)
assert resp.status_code == 404
def test_get_chart_not_found(client, dataset_id: int):
login(client, "admin")
resp = client.get(f"api/v1/chart/-1/form_data/{key}?dataset_id={dataset_id}")
assert resp.status_code == 404
def test_get(client, chart_id: int, dataset_id: int):
login(client, "admin")
resp = client.get(
f"api/v1/chart/{chart_id}/form_data/{key}?dataset_id={dataset_id}"
)
assert resp.status_code == 200
data = json.loads(resp.data.decode("utf-8"))
assert value == data.get("value")
def test_get_access_denied(client, chart_id: int, dataset_id: int):
login(client, "gamma")
resp = client.get(
f"api/v1/chart/{chart_id}/form_data/{key}?dataset_id={dataset_id}"
)
assert resp.status_code == 404
def test_get_no_dataset(client):
login(client, "admin")
resp = client.get(f"api/v1/chart/0/form_data/{key}")
assert resp.status_code == 404
def test_get_dataset(client, dataset_id: int):
login(client, "admin")
resp = client.get(f"api/v1/chart/0/form_data/{key}?dataset_id={dataset_id}")
assert resp.status_code == 200
def test_get_dataset_not_found(client):
login(client, "admin")
resp = client.get(f"api/v1/chart/0/form_data/{key}?dataset_id=-1")
assert resp.status_code == 404
@patch("superset.security.SupersetSecurityManager.can_access_datasource")
def test_get_dataset_access_denied(mock_can_access_datasource, client, dataset_id):
mock_can_access_datasource.side_effect = DatasetAccessDeniedError()
login(client, "admin")
resp = client.get(f"api/v1/chart/0/form_data/{key}?dataset_id={dataset_id}")
assert resp.status_code == 403
def test_delete(client, chart_id: int, dataset_id: int):
login(client, "admin")
resp = client.delete(
f"api/v1/chart/{chart_id}/form_data/{key}?dataset_id={dataset_id}"
)
assert resp.status_code == 200
def test_delete_access_denied(client, chart_id: int, dataset_id: int):
login(client, "gamma")
resp = client.delete(
f"api/v1/chart/{chart_id}/form_data/{key}?dataset_id={dataset_id}"
)
assert resp.status_code == 404
def test_delete_not_owner(client, chart_id: int, dataset_id: int, admin_id: int):
another_key = "another_key"
another_owner = admin_id + 1
entry: Entry = {"owner": another_owner, "value": value}
cache_manager.chart_form_data_cache.set(cache_key(chart_id, another_key), entry)
login(client, "admin")
resp = client.delete(
f"api/v1/chart/{chart_id}/form_data/{another_key}?dataset_id={dataset_id}"
)
assert resp.status_code == 403

2
tests/integration_tests/dashboards/filter_state/api_tests.py
View File

@ -22,8 +22,8 @@ from flask_appbuilder.security.sqla.models import User
from sqlalchemy.orm import Session
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
from superset.dashboards.filter_state.commands.entry import Entry
from superset.extensions import cache_manager
from superset.key_value.commands.entry import Entry
from superset.key_value.utils import cache_key
from superset.models.dashboard import Dashboard
from tests.integration_tests.base_tests import login

186
tests/unit_tests/charts/form_data/utils_test.py Normal file
View File

@ -0,0 +1,186 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from flask.ctx import AppContext
from flask_appbuilder.security.sqla.models import User
from pytest import raises
from pytest_mock import MockFixture
from superset.charts.commands.exceptions import (
ChartAccessDeniedError,
ChartNotFoundError,
)
from superset.datasets.commands.exceptions import (
DatasetAccessDeniedError,
DatasetNotFoundError,
)
from superset.key_value.commands.parameters import CommandParameters
dataset_find_by_id = "superset.datasets.dao.DatasetDAO.find_by_id"
chart_find_by_id = "superset.charts.dao.ChartDAO.find_by_id"
is_user_admin = "superset.charts.form_data.utils.is_user_admin"
is_owner = "superset.charts.form_data.utils.is_owner"
can_access_datasource = (
"superset.security.SupersetSecurityManager.can_access_datasource"
)
can_access = "superset.security.SupersetSecurityManager.can_access"
def test_unsaved_chart_no_dataset_id(app_context: AppContext) -> None:
from superset.charts.form_data.utils import check_access
with raises(DatasetNotFoundError):
cmd_params = CommandParameters(resource_id=0, actor=User(), query_params={})
check_access(cmd_params)
def test_unsaved_chart_unknown_dataset_id(
mocker: MockFixture, app_context: AppContext
) -> None:
from superset.charts.form_data.utils import check_access
with raises(DatasetNotFoundError):
mocker.patch(dataset_find_by_id, return_value=None)
cmd_params = CommandParameters(
resource_id=0, actor=User(), query_params={"dataset_id": "1"}
)
check_access(cmd_params)
def test_unsaved_chart_unauthorized_dataset(
mocker: MockFixture, app_context: AppContext
) -> None:
from superset.charts.form_data import utils
from superset.connectors.sqla.models import SqlaTable
with raises(DatasetAccessDeniedError):
mocker.patch(dataset_find_by_id, return_value=SqlaTable())
mocker.patch(can_access_datasource, return_value=False)
cmd_params = CommandParameters(
resource_id=0, actor=User(), query_params={"dataset_id": "1"}
)
utils.check_access(cmd_params)
def test_unsaved_chart_authorized_dataset(
mocker: MockFixture, app_context: AppContext
) -> None:
from superset.charts.form_data.utils import check_access
from superset.connectors.sqla.models import SqlaTable
mocker.patch(dataset_find_by_id, return_value=SqlaTable())
mocker.patch(can_access_datasource, return_value=True)
cmd_params = CommandParameters(
resource_id=0, actor=User(), query_params={"dataset_id": "1"}
)
assert check_access(cmd_params) == True
def test_saved_chart_unknown_chart_id(
mocker: MockFixture, app_context: AppContext
) -> None:
from superset.charts.form_data.utils import check_access
from superset.connectors.sqla.models import SqlaTable
with raises(ChartNotFoundError):
mocker.patch(dataset_find_by_id, return_value=SqlaTable())
mocker.patch(can_access_datasource, return_value=True)
mocker.patch(chart_find_by_id, return_value=None)
cmd_params = CommandParameters(
resource_id=1, actor=User(), query_params={"dataset_id": "1"}
)
check_access(cmd_params)
def test_saved_chart_unauthorized_dataset(
mocker: MockFixture, app_context: AppContext
) -> None:
from superset.charts.form_data import utils
from superset.connectors.sqla.models import SqlaTable
with raises(DatasetAccessDeniedError):
mocker.patch(dataset_find_by_id, return_value=SqlaTable())
mocker.patch(can_access_datasource, return_value=False)
cmd_params = CommandParameters(
resource_id=1, actor=User(), query_params={"dataset_id": "1"}
)
utils.check_access(cmd_params)
def test_saved_chart_is_admin(mocker: MockFixture, app_context: AppContext) -> None:
from superset.charts.form_data.utils import check_access
from superset.connectors.sqla.models import SqlaTable
from superset.models.slice import Slice
mocker.patch(dataset_find_by_id, return_value=SqlaTable())
mocker.patch(can_access_datasource, return_value=True)
mocker.patch(is_user_admin, return_value=True)
mocker.patch(chart_find_by_id, return_value=Slice())
cmd_params = CommandParameters(
resource_id=1, actor=User(), query_params={"dataset_id": "1"}
)
assert check_access(cmd_params) == True
def test_saved_chart_is_owner(mocker: MockFixture, app_context: AppContext) -> None:
from superset.charts.form_data.utils import check_access
from superset.connectors.sqla.models import SqlaTable
from superset.models.slice import Slice
mocker.patch(dataset_find_by_id, return_value=SqlaTable())
mocker.patch(can_access_datasource, return_value=True)
mocker.patch(is_user_admin, return_value=False)
mocker.patch(is_owner, return_value=True)
mocker.patch(chart_find_by_id, return_value=Slice())
cmd_params = CommandParameters(
resource_id=1, actor=User(), query_params={"dataset_id": "1"}
)
assert check_access(cmd_params) == True
def test_saved_chart_has_access(mocker: MockFixture, app_context: AppContext) -> None:
from superset.charts.form_data.utils import check_access
from superset.connectors.sqla.models import SqlaTable
from superset.models.slice import Slice
mocker.patch(dataset_find_by_id, return_value=SqlaTable())
mocker.patch(can_access_datasource, return_value=True)
mocker.patch(is_user_admin, return_value=False)
mocker.patch(is_owner, return_value=False)
mocker.patch(can_access, return_value=True)
mocker.patch(chart_find_by_id, return_value=Slice())
cmd_params = CommandParameters(
resource_id=1, actor=User(), query_params={"dataset_id": "1"}
)
assert check_access(cmd_params) == True
def test_saved_chart_no_access(mocker: MockFixture, app_context: AppContext) -> None:
from superset.charts.form_data.utils import check_access
from superset.connectors.sqla.models import SqlaTable
from superset.models.slice import Slice
with raises(ChartAccessDeniedError):
mocker.patch(dataset_find_by_id, return_value=SqlaTable())
mocker.patch(can_access_datasource, return_value=True)
mocker.patch(is_user_admin, return_value=False)
mocker.patch(is_owner, return_value=False)
mocker.patch(can_access, return_value=False)
mocker.patch(chart_find_by_id, return_value=Slice())
cmd_params = CommandParameters(
resource_id=1, actor=User(), query_params={"dataset_id": "1"}
)
check_access(cmd_params)