[security] make it easier to redefine Alpha/Gamma (#7036)

* [security] make it easier to redefine Alpha/Gamma While talking about some security aspect and as to how you'd alter Alpha or Gamma role in a specific environment, I realized that these module-scoped constants would be much more useful as class attributes. This way, someone can override these sets in their security manager to alter base roles. * fix * flake8
2019-04-01 18:06:40 -07:00 · 2019-04-01 18:06:40 -07:00 · c5bdbc0964
parent a1d4635627
commit c5bdbc0964
1 changed files with 74 additions and 75 deletions
--- a/superset/security.py
+++ b/superset/security.py
@ -27,6 +27,8 @@ from superset import sql_parse
 from superset.connectors.connector_registry import ConnectorRegistry
 from superset.exceptions import SupersetSecurityException

+
+class SupersetSecurityManager(SecurityManager):
    READ_ONLY_MODEL_VIEWS = {
        'DatabaseAsync',
        'DatabaseView',
@ -92,9 +94,6 @@ OBJECT_SPEC_PERMISSIONS = set([
        'metric_access',
    ])

-
-class SupersetSecurityManager(SecurityManager):
-
    def get_schema_perm(self, database, schema):
        if schema:
            return '[{}].[{}]'.format(database, schema)
@ -263,7 +262,7 @@ class SupersetSecurityManager(SecurityManager):
            self.add_permission_view_menu(permission_name, view_menu_name)

    def is_user_defined_permission(self, perm):
-        return perm.permission.name in OBJECT_SPEC_PERMISSIONS
+        return perm.permission.name in self.OBJECT_SPEC_PERMISSIONS

    def create_custom_permissions(self):
        # Global perms
@ -359,21 +358,21 @@ class SupersetSecurityManager(SecurityManager):

    def is_admin_only(self, pvm):
        # not readonly operations on read only model views allowed only for admins
-        if (pvm.view_menu.name in READ_ONLY_MODEL_VIEWS and
-                pvm.permission.name not in READ_ONLY_PERMISSION):
+        if (pvm.view_menu.name in self.READ_ONLY_MODEL_VIEWS and
+                pvm.permission.name not in self.READ_ONLY_PERMISSION):
            return True
        return (
-            pvm.view_menu.name in ADMIN_ONLY_VIEW_MENUS or
-            pvm.permission.name in ADMIN_ONLY_PERMISSIONS
+            pvm.view_menu.name in self.ADMIN_ONLY_VIEW_MENUS or
+            pvm.permission.name in self.ADMIN_ONLY_PERMISSIONS
        )

    def is_alpha_only(self, pvm):
-        if (pvm.view_menu.name in GAMMA_READ_ONLY_MODEL_VIEWS and
-                pvm.permission.name not in READ_ONLY_PERMISSION):
+        if (pvm.view_menu.name in self.GAMMA_READ_ONLY_MODEL_VIEWS and
+                pvm.permission.name not in self.READ_ONLY_PERMISSION):
            return True
        return (
-            pvm.view_menu.name in ALPHA_ONLY_VIEW_MENUS or
-            pvm.permission.name in ALPHA_ONLY_PERMISSIONS
+            pvm.view_menu.name in self.ALPHA_ONLY_VIEW_MENUS or
+            pvm.permission.name in self.ALPHA_ONLY_PERMISSIONS
        )

    def is_admin_pvm(self, pvm):
@ -395,7 +394,7 @@ class SupersetSecurityManager(SecurityManager):
                'can_sql_json', 'can_csv', 'can_search_queries', 'can_sqllab_viz',
                'can_sqllab',
            } or
-            (pvm.view_menu.name in USER_MODEL_VIEWS and
+            (pvm.view_menu.name in self.USER_MODEL_VIEWS and
             pvm.permission.name == 'can_list'))

    def is_granter_pvm(self, pvm):