Fixing overwrite and save slice permissions for a give role (#298)

* Fixing overwrite and save slice permissions for a give role

* fix function name - build failed

* fix function name and test user permissions

* disable the button in the UI

* fix build error - characters too long in 1 line

* try to disable button on the UI

* disable cursor in caravel css. You wont be able to click anymore if no access

* fix build issues

* fix build errors! god bless me

* disable main features in dashboard and slice

* fix build issues

caravel/assets/stylesheets/caravel.css

@@ -29,6 +29,10 @@ input.form-control {
     color: red;
 }
 
+.disabledButton {
+    pointer-events: none;
+}
+
 .col-left-fixed {
     width:350px;
     position: absolute;

caravel/templates/caravel/dashboard.html

@@ -55,13 +55,13 @@
           <button type="button" id="filters" class="btn btn-default" data-toggle="tooltip" title="View the list of active filters">
             <i class="fa fa-filter"></i>
           </button>
-          <button type="button" id="css" class="btn btn-default" data-toggle="modal" data-target="#css_modal">
+          <button type="button" id="css" class="btn btn-default {{ "disabled disabledButton" if not dash_edit_perm }} " data-toggle="modal" data-target="#css_modal">
             <i class="fa fa-css3" data-toggle="tooltip" title="Edit the dashboard's CSS"></i>
           </button>
-          <a id="editdash" class="btn btn-default" href="/dashboardmodelview/edit/{{ dashboard.id }}" title="Edit this dashboard's property" data-toggle="tooltip" >
+          <a id="editdash" class="btn btn-default {{ "disabled disabledButton" if not dash_edit_perm }} " href="/dashboardmodelview/edit/{{ dashboard.id }}" title="Edit this dashboard's property" data-toggle="tooltip" >
               <i class="fa fa-edit"></i>
           </a>
-          <button type="button" id="savedash" class="btn btn-default" data-toggle="tooltip" title="Save the current positioning and CSS">
+          <button type="button" id="savedash" class="btn btn-default {{ "disabled disabledButton" if not dash_save_perm }}" data-toggle="tooltip" title="Save the current positioning and CSS">
             <i class="fa fa-save"></i>
           </button>
         </div>

caravel/templates/caravel/explore.html

@@ -69,7 +69,7 @@
                 <i class="fa fa-file-code-o"></i>
                 .json
               </span>
-              <span class="btn btn-default " id="csv" title="Export to .csv format" data-toggle="tooltip">
+              <span class="btn btn-default {{ "disabled disabledButton" if not can_download }}" id="csv" title="Export to .csv format" data-toggle="tooltip">
                 <i class="fa fa-file-text-o"></i>.csv
               </span>
               <span class="btn btn-warning notbtn" id="timer">0 sec</span>
@@ -86,13 +86,13 @@
                 <i class="fa fa-bolt"></i>Query
               </button>
               {% if viz.form_data.slice_id %}
-                <button type="button" class="btn btn-default" id="btn_overwrite">
+                  <button type="button" class="btn btn-default {{ "disabled disabledButton" if not can_edit }}" id="btn_overwrite">
                   <i class="fa fa-save"></i>Overwrite
-                </button>
+                  </button>
               {% endif %}
-              <button type="button" class="btn btn-default" id="btn_save">
-                <i class="fa fa-plus-circle"></i>Save as
-              </button>
+                  <button type="button" class="btn btn-default {{ "disabled disabledButton" if not can_add }}" id="btn_save">
+                  <i class="fa fa-plus-circle"></i>Save as
+                  </button>
             </div>
           </div>
           <br/>

caravel/views.py

@@ -140,7 +140,6 @@ class DatabaseView(CaravelModelView, DeleteMixin):  # noqa
     order_columns = utils.list_minus(list_columns, ['created_by_'])
     add_columns = [
         'database_name', 'sqlalchemy_uri', 'cache_timeout', 'extra']
-    show_columns = add_columns
     search_exclude_columns = ('password',)
     edit_columns = add_columns
     add_template = "caravel/models/database/add.html"
@@ -463,6 +462,13 @@ class Caravel(BaseView):
         datasource = datasource[0] if datasource else None
         slice_id = request.args.get("slice_id")
         slc = None
+        slice_add_perm = self.appbuilder.sm.has_access(
+            'can_add', 'SliceModelView')
+        slice_edit_perm = self.appbuilder.sm.has_access(
+            'can_edit', 'SliceModelView')
+        slice_download_perm = self.appbuilder.sm.has_access(
+            'can_download', 'SliceModelView')
+
         if slice_id:
             slc = (
                 db.session.query(models.Slice)
@@ -483,7 +489,8 @@ class Caravel(BaseView):
 
         action = request.args.get('action')
         if action in ('save', 'overwrite'):
-            return self.save(request.args, slc)
+            return self.save_or_overwrite_slice(
+                request.args, slc, slice_add_perm, slice_edit_perm)
 
         viz_type = request.args.get("viz_type")
         if not viz_type and datasource.default_endpoint:
@@ -529,7 +536,9 @@ class Caravel(BaseView):
                 template = "caravel/explore.html"
 
             resp = self.render_template(
-                template, viz=obj, slice=slc, datasources=datasources)
+                template, viz=obj, slice=slc, datasources=datasources,
+                can_add=slice_add_perm, can_edit=slice_edit_perm,
+                can_download=slice_download_perm)
             try:
                 pass
             except Exception as e:
@@ -541,9 +550,8 @@ class Caravel(BaseView):
                     mimetype="application/json")
             return resp
 
-    def save(self, args, slc):
-        """Saves (inserts or overwrite a slice) """
-        session = db.session()
+    def save_or_overwrite_slice(self, args, slc, slice_add_perm, slice_edit_perm):
+        """save or overwrite a slice"""
         slice_name = args.get('slice_name')
         action = args.get('action')
 
@@ -568,9 +576,6 @@ class Caravel(BaseView):
 
         if action == "save":
             slc = models.Slice()
-            msg = "Slice [{}] has been saved".format(slice_name)
-        elif action == "overwrite":
-            msg = "Slice [{}] has been overwritten".format(slice_name)
 
         slc.params = json.dumps(d, indent=4, sort_keys=True)
         slc.datasource_name = args.get('datasource_name')
@@ -580,13 +585,26 @@ class Caravel(BaseView):
         slc.datasource_type = datasource_type
         slc.slice_name = slice_name
 
-        if action == "save":
-            session.add(slc)
-        elif action == "overwrite":
-            session.merge(slc)
+        if action == 'save' and slice_add_perm:
+            self.save_slice(slc)
+        elif action == 'overwrite' and slice_edit_perm:
+            self.overwrite_slice(slc)
+
+        return redirect(slc.slice_url)
+
+    def save_slice(self, slc):
+        session = db.session()
+        msg = "Slice [{}] has been saved".format(slc.slice_name)
+        session.add(slc)
+        session.commit()
+        flash(msg, "info")
+
+    def overwrite_slice(self, slc):
+        session = db.session()
+        msg = "Slice [{}] has been overwritten".format(slc.slice_name)
+        session.merge(slc)
         session.commit()
         flash(msg, "info")
-        return redirect(slc.slice_url)
 
     @has_access
     @expose("/checkbox/<model_view>/<id_>/<attr>/<value>", methods=['GET'])
@@ -711,7 +729,9 @@ class Caravel(BaseView):
         return self.render_template(
             "caravel/dashboard.html", dashboard=dash,
             templates=templates,
-            pos_dict=pos_dict)
+            pos_dict=pos_dict,
+            dash_save_perm=appbuilder.sm.has_access('can_save_dash', 'Caravel'),
+            dash_edit_perm=appbuilder.sm.has_access('can_edit', 'DashboardModelView'))
 
     @has_access
     @expose("/sql/<database_id>/")