[security] make it easier to redefine Alpha/Gamma (#7036)

* [security] make it easier to redefine Alpha/Gamma

While talking about some security aspect and as to how you'd alter Alpha
or Gamma role in a specific environment, I realized that these
module-scoped constants would be much more useful as class attributes.

This way, someone can override these sets in their security manager
to alter base roles.

* fix

* flake8

superset/security.py

@@ -27,6 +27,8 @@ from superset import sql_parse
 from superset.connectors.connector_registry import ConnectorRegistry
 from superset.exceptions import SupersetSecurityException
 
+
+class SupersetSecurityManager(SecurityManager):
     READ_ONLY_MODEL_VIEWS = {
         'DatabaseAsync',
         'DatabaseView',
@@ -92,9 +94,6 @@ OBJECT_SPEC_PERMISSIONS = set([
         'metric_access',
     ])
 
-
-class SupersetSecurityManager(SecurityManager):
-
     def get_schema_perm(self, database, schema):
         if schema:
             return '[{}].[{}]'.format(database, schema)
@@ -263,7 +262,7 @@ class SupersetSecurityManager(SecurityManager):
             self.add_permission_view_menu(permission_name, view_menu_name)
 
     def is_user_defined_permission(self, perm):
-        return perm.permission.name in OBJECT_SPEC_PERMISSIONS
+        return perm.permission.name in self.OBJECT_SPEC_PERMISSIONS
 
     def create_custom_permissions(self):
         # Global perms
@@ -359,21 +358,21 @@ class SupersetSecurityManager(SecurityManager):
 
     def is_admin_only(self, pvm):
         # not readonly operations on read only model views allowed only for admins
-        if (pvm.view_menu.name in READ_ONLY_MODEL_VIEWS and
+        if (pvm.view_menu.name in self.READ_ONLY_MODEL_VIEWS and
-                pvm.permission.name not in READ_ONLY_PERMISSION):
+                pvm.permission.name not in self.READ_ONLY_PERMISSION):
             return True
         return (
-            pvm.view_menu.name in ADMIN_ONLY_VIEW_MENUS or
+            pvm.view_menu.name in self.ADMIN_ONLY_VIEW_MENUS or
-            pvm.permission.name in ADMIN_ONLY_PERMISSIONS
+            pvm.permission.name in self.ADMIN_ONLY_PERMISSIONS
         )
 
     def is_alpha_only(self, pvm):
-        if (pvm.view_menu.name in GAMMA_READ_ONLY_MODEL_VIEWS and
+        if (pvm.view_menu.name in self.GAMMA_READ_ONLY_MODEL_VIEWS and
-                pvm.permission.name not in READ_ONLY_PERMISSION):
+                pvm.permission.name not in self.READ_ONLY_PERMISSION):
             return True
         return (
-            pvm.view_menu.name in ALPHA_ONLY_VIEW_MENUS or
+            pvm.view_menu.name in self.ALPHA_ONLY_VIEW_MENUS or
-            pvm.permission.name in ALPHA_ONLY_PERMISSIONS
+            pvm.permission.name in self.ALPHA_ONLY_PERMISSIONS
         )
 
     def is_admin_pvm(self, pvm):
@@ -395,7 +394,7 @@ class SupersetSecurityManager(SecurityManager):
                 'can_sql_json', 'can_csv', 'can_search_queries', 'can_sqllab_viz',
                 'can_sqllab',
             } or
-            (pvm.view_menu.name in USER_MODEL_VIEWS and
+            (pvm.view_menu.name in self.USER_MODEL_VIEWS and
              pvm.permission.name == 'can_list'))
 
     def is_granter_pvm(self, pvm):