pt
/
superset
mirror of https://github.com/apache/superset.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make edit / add / delete perms available to all users. (#1722) 

* Make edit / add / delete perms available to all users.

* Add tests and restrict from editing the datasources.
This commit is contained in:
Bogdan 2016-11-30 17:05:09 -05:00 committed by GitHub
parent 32fc0ff6d0
commit e822d5a1b7
2 changed files with 90 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
superset/security.py
View File

@ -15,6 +15,19 @@ READ_ONLY_MODELVIEWS = {
'DatabaseView',
'DruidClusterModelView',
}
GAMMA_READ_ONLY_MODELVIEWS = {
'ColumnInlineView',
'SqlMetricInlineView',
'TableColumnInlineView',
'TableModelView',
'DatasourceModelView',
'DruidColumnInlineView',
'MetricInlineView',
'DruidDatasourceModelView',
'DruidMetricInlineView',
} | READ_ONLY_MODELVIEWS
ADMIN_ONLY_VIEW_MENUES = {
'AccessRequestsModelView',
'Manage',
@ -45,11 +58,6 @@ READ_ONLY_PERMISSION = {
}
ALPHA_ONLY_PERMISSIONS = set([
'can_add',
'can_download',
'can_delete',
'can_edit',
'can_save',
'datasource_access',
'schema_access',
'database_access',
@ -59,6 +67,10 @@ ALPHA_ONLY_PERMISSIONS = set([
READ_ONLY_PRODUCT = set(
product(READ_ONLY_PERMISSION, READ_ONLY_MODELVIEWS))
GAMMA_READ_ONLY_PRODUCT = set(
product(READ_ONLY_PERMISSION, GAMMA_READ_ONLY_MODELVIEWS))
OBJECT_SPEC_PERMISSIONS = set([
'database_access',
'schema_access',
@ -147,10 +159,12 @@ def sync_role_definitions():
if (
(
p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES and
p.view_menu.name not in GAMMA_READ_ONLY_MODELVIEWS and
p.permission.name not in ADMIN_ONLY_PERMISSIONS and
p.permission.name not in ALPHA_ONLY_PERMISSIONS
) or
(p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT
(p.permission.name, p.view_menu.name) in
GAMMA_READ_ONLY_PRODUCT
):
sm.add_permission_role(gamma, p)
if PUBLIC_ROLE_LIKE_GAMMA:

88
tests/base_tests.py
View File

@ -25,10 +25,10 @@ class SupersetTestCase(unittest.TestCase):
def __init__(self, *args, **kwargs):
if (
self.requires_examples and
not os.environ.get('SOLO_TEST') and
not os.environ.get('examples_loaded')
):
self.requires_examples and
not os.environ.get('SOLO_TEST') and
not os.environ.get('examples_loaded')
):
logging.info("Loading examples")
cli.load_examples(load_test_data=True)
logging.info("Done loading examples")
@ -95,7 +95,6 @@ class SupersetTestCase(unittest.TestCase):
session.add(druid_datasource2)
session.commit()
def get_or_create(self, cls, criteria, session):
obj = session.query(cls).filter_by(**criteria).first()
if not obj:
@ -118,8 +117,8 @@ class SupersetTestCase(unittest.TestCase):
session = db.create_scoped_session()
query = (
session.query(models.Query)
.order_by(models.Query.id.desc())
.first()
.order_by(models.Query.id.desc())
.first()
)
session.close()
return query
@ -127,8 +126,8 @@ class SupersetTestCase(unittest.TestCase):
def get_slice(self, slice_name, session):
slc = (
session.query(models.Slice)
.filter_by(slice_name=slice_name)
.one()
.filter_by(slice_name=slice_name)
.one()
)
session.expunge_all()
return slc
@ -159,21 +158,21 @@ class SupersetTestCase(unittest.TestCase):
def get_main_database(self, session):
return (
db.session.query(models.Database)
.filter_by(database_name='main')
.first()
.filter_by(database_name='main')
.first()
)
def get_access_requests(self, username, ds_type, ds_id):
DAR = models.DatasourceAccessRequest
return (
db.session.query(DAR)
DAR = models.DatasourceAccessRequest
return (
db.session.query(DAR)
.filter(
DAR.created_by == sm.find_user(username=username),
DAR.datasource_type == ds_type,
DAR.datasource_id == ds_id,
DAR.created_by == sm.find_user(username=username),
DAR.datasource_type == ds_type,
DAR.datasource_id == ds_id,
)
.first()
)
)
def logout(self):
self.client.get('/logout/', follow_redirects=True)
@ -205,3 +204,56 @@ class SupersetTestCase(unittest.TestCase):
client_id=client_id),
)
return resp
def test_gamma_permissions(self):
def assert_can_read(view_menu):
self.assertIn(('can_show', view_menu), gamma_perm_set)
self.assertIn(('can_list', view_menu), gamma_perm_set)
def assert_can_write(view_menu):
self.assertIn(('can_add', view_menu), gamma_perm_set)
self.assertIn(('can_download', view_menu), gamma_perm_set)
self.assertIn(('can_delete', view_menu), gamma_perm_set)
self.assertIn(('can_edit', view_menu), gamma_perm_set)
def assert_cannot_write(view_menu):
self.assertNotIn(('can_add', view_menu), gamma_perm_set)
self.assertNotIn(('can_download', view_menu), gamma_perm_set)
self.assertNotIn(('can_delete', view_menu), gamma_perm_set)
self.assertNotIn(('can_edit', view_menu), gamma_perm_set)
self.assertNotIn(('can_save', view_menu), gamma_perm_set)
def assert_can_all(view_menu):
assert_can_read(view_menu)
assert_can_write(view_menu)
gamma_perm_set = set()
for perm in sm.find_role('Gamma').permissions:
gamma_perm_set.add((perm.permission.name, perm.view_menu.name))
# check read only perms
assert_can_read('TableModelView')
assert_cannot_write('DruidColumnInlineView')
# make sure that user can create slices and dashboards
assert_can_all('SliceModelView')
assert_can_all('DashboardModelView')
self.assertIn(('can_add_slices', 'Superset'), gamma_perm_set)
self.assertIn(('can_copy_dash', 'Superset'), gamma_perm_set)
self.assertIn(('can_activity_per_day', 'Superset'), gamma_perm_set)
self.assertIn(('can_created_dashboards', 'Superset'), gamma_perm_set)
self.assertIn(('can_created_slices', 'Superset'), gamma_perm_set)
self.assertIn(('can_csv', 'Superset'), gamma_perm_set)
self.assertIn(('can_dashboard', 'Superset'), gamma_perm_set)
self.assertIn(('can_explore', 'Superset'), gamma_perm_set)
self.assertIn(('can_explore_json', 'Superset'), gamma_perm_set)
self.assertIn(('can_fave_dashboards', 'Superset'), gamma_perm_set)
self.assertIn(('can_fave_slices', 'Superset'), gamma_perm_set)
self.assertIn(('can_save_dash', 'Superset'), gamma_perm_set)
self.assertIn(('can_slice', 'Superset'), gamma_perm_set)
self.assertIn(('can_update_explore', 'Superset'), gamma_perm_set)