From e822d5a1b7eb8f0cabcfcc85f5201df8199db796 Mon Sep 17 00:00:00 2001
From: Bogdan <b.kyryliuk@gmail.com>
Date: Wed, 30 Nov 2016 17:05:09 -0500
Subject: [PATCH] Make edit / add / delete perms available to all users.
 (#1722)

* Make edit / add / delete perms available to all users.

* Add tests and restrict from editing the datasources.
---
 superset/security.py | 26 ++++++++++---
 tests/base_tests.py  | 88 +++++++++++++++++++++++++++++++++++---------
 2 files changed, 90 insertions(+), 24 deletions(-)

diff --git a/superset/security.py b/superset/security.py
index 54a618b1ca..6d8c674dee 100644
--- a/superset/security.py
+++ b/superset/security.py
@@ -15,6 +15,19 @@ READ_ONLY_MODELVIEWS = {
     'DatabaseView',
     'DruidClusterModelView',
 }
+
+GAMMA_READ_ONLY_MODELVIEWS = {
+    'ColumnInlineView',
+    'SqlMetricInlineView',
+    'TableColumnInlineView',
+    'TableModelView',
+    'DatasourceModelView',
+    'DruidColumnInlineView',
+    'MetricInlineView',
+    'DruidDatasourceModelView',
+    'DruidMetricInlineView',
+} | READ_ONLY_MODELVIEWS
+
 ADMIN_ONLY_VIEW_MENUES = {
     'AccessRequestsModelView',
     'Manage',
@@ -45,11 +58,6 @@ READ_ONLY_PERMISSION = {
 }
 
 ALPHA_ONLY_PERMISSIONS = set([
-    'can_add',
-    'can_download',
-    'can_delete',
-    'can_edit',
-    'can_save',
     'datasource_access',
     'schema_access',
     'database_access',
@@ -59,6 +67,10 @@ ALPHA_ONLY_PERMISSIONS = set([
 READ_ONLY_PRODUCT = set(
     product(READ_ONLY_PERMISSION, READ_ONLY_MODELVIEWS))
 
+GAMMA_READ_ONLY_PRODUCT = set(
+    product(READ_ONLY_PERMISSION, GAMMA_READ_ONLY_MODELVIEWS))
+
+
 OBJECT_SPEC_PERMISSIONS = set([
     'database_access',
     'schema_access',
@@ -147,10 +159,12 @@ def sync_role_definitions():
         if (
                 (
                     p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES and
+                    p.view_menu.name not in GAMMA_READ_ONLY_MODELVIEWS and
                     p.permission.name not in ADMIN_ONLY_PERMISSIONS and
                     p.permission.name not in ALPHA_ONLY_PERMISSIONS
                 ) or
-                (p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT
+                (p.permission.name, p.view_menu.name) in
+                GAMMA_READ_ONLY_PRODUCT
         ):
             sm.add_permission_role(gamma, p)
             if PUBLIC_ROLE_LIKE_GAMMA:
diff --git a/tests/base_tests.py b/tests/base_tests.py
index 954d8d69b0..3a66c756de 100644
--- a/tests/base_tests.py
+++ b/tests/base_tests.py
@@ -25,10 +25,10 @@ class SupersetTestCase(unittest.TestCase):
 
     def __init__(self, *args, **kwargs):
         if (
-                self.requires_examples and
-                not os.environ.get('SOLO_TEST') and
-                not os.environ.get('examples_loaded')
-            ):
+                        self.requires_examples and
+                        not os.environ.get('SOLO_TEST') and
+                    not os.environ.get('examples_loaded')
+        ):
             logging.info("Loading examples")
             cli.load_examples(load_test_data=True)
             logging.info("Done loading examples")
@@ -95,7 +95,6 @@ class SupersetTestCase(unittest.TestCase):
             session.add(druid_datasource2)
             session.commit()
 
-
     def get_or_create(self, cls, criteria, session):
         obj = session.query(cls).filter_by(**criteria).first()
         if not obj:
@@ -118,8 +117,8 @@ class SupersetTestCase(unittest.TestCase):
         session = db.create_scoped_session()
         query = (
             session.query(models.Query)
-            .order_by(models.Query.id.desc())
-            .first()
+                .order_by(models.Query.id.desc())
+                .first()
         )
         session.close()
         return query
@@ -127,8 +126,8 @@ class SupersetTestCase(unittest.TestCase):
     def get_slice(self, slice_name, session):
         slc = (
             session.query(models.Slice)
-            .filter_by(slice_name=slice_name)
-            .one()
+                .filter_by(slice_name=slice_name)
+                .one()
         )
         session.expunge_all()
         return slc
@@ -159,21 +158,21 @@ class SupersetTestCase(unittest.TestCase):
     def get_main_database(self, session):
         return (
             db.session.query(models.Database)
-            .filter_by(database_name='main')
-            .first()
+                .filter_by(database_name='main')
+                .first()
         )
 
     def get_access_requests(self, username, ds_type, ds_id):
-            DAR = models.DatasourceAccessRequest
-            return (
-                db.session.query(DAR)
+        DAR = models.DatasourceAccessRequest
+        return (
+            db.session.query(DAR)
                 .filter(
-                    DAR.created_by == sm.find_user(username=username),
-                    DAR.datasource_type == ds_type,
-                    DAR.datasource_id == ds_id,
+                DAR.created_by == sm.find_user(username=username),
+                DAR.datasource_type == ds_type,
+                DAR.datasource_id == ds_id,
                 )
                 .first()
-            )
+        )
 
     def logout(self):
         self.client.get('/logout/', follow_redirects=True)
@@ -205,3 +204,56 @@ class SupersetTestCase(unittest.TestCase):
                       client_id=client_id),
         )
         return resp
+
+    def test_gamma_permissions(self):
+        def assert_can_read(view_menu):
+            self.assertIn(('can_show', view_menu), gamma_perm_set)
+            self.assertIn(('can_list', view_menu), gamma_perm_set)
+
+        def assert_can_write(view_menu):
+            self.assertIn(('can_add', view_menu), gamma_perm_set)
+            self.assertIn(('can_download', view_menu), gamma_perm_set)
+            self.assertIn(('can_delete', view_menu), gamma_perm_set)
+            self.assertIn(('can_edit', view_menu), gamma_perm_set)
+
+        def assert_cannot_write(view_menu):
+            self.assertNotIn(('can_add', view_menu), gamma_perm_set)
+            self.assertNotIn(('can_download', view_menu), gamma_perm_set)
+            self.assertNotIn(('can_delete', view_menu), gamma_perm_set)
+            self.assertNotIn(('can_edit', view_menu), gamma_perm_set)
+            self.assertNotIn(('can_save', view_menu), gamma_perm_set)
+
+        def assert_can_all(view_menu):
+            assert_can_read(view_menu)
+            assert_can_write(view_menu)
+
+        gamma_perm_set = set()
+        for perm in sm.find_role('Gamma').permissions:
+            gamma_perm_set.add((perm.permission.name, perm.view_menu.name))
+
+        # check read only perms
+        assert_can_read('TableModelView')
+        assert_cannot_write('DruidColumnInlineView')
+
+        # make sure that user can create slices and dashboards
+        assert_can_all('SliceModelView')
+        assert_can_all('DashboardModelView')
+
+        self.assertIn(('can_add_slices', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_copy_dash', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_activity_per_day', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_created_dashboards', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_created_slices', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_csv', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_dashboard', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_explore', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_explore_json', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_fave_dashboards', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_fave_slices', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_save_dash', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_slice', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_update_explore', 'Superset'), gamma_perm_set)
+
+
+
+