Merge pull request #37 from Webgains/SRV-932

SRV-932 security - not returning query in request if user has no perm…

superset/common/query_actions.py

@@ -21,7 +21,7 @@
 
 from flask_babel import _
 
-from superset import app
+from superset import app, security_manager
 from superset.common.chart_data import ChartDataResultType
 from superset.common.db_query_status import QueryStatus
 from superset.connectors.sqla.models import BaseDatasource
@@ -87,7 +87,10 @@ def _get_query(
     datasource = _get_datasource(query_context, query_obj)
     result = {"language": datasource.query_language}
     try:
-        result["query"] = datasource.get_query_str(query_obj.to_dict())
+        if security_manager.can_access('can_view_query', 'Dashboard'):
+            result["query"] = datasource.get_query_str(query_obj.to_dict())
+        else:
+            result["query"] = 'Forbidden'
     except QueryObjectValidationError as err:
         result["error"] = err.message
     return result

superset/models/helpers.py

@@ -51,7 +51,7 @@
 from sqlalchemy.sql.selectable import Alias, TableClause
 from sqlalchemy_utils import UUIDType
 
-from superset import app, db, is_feature_enabled
+from superset import app, db, is_feature_enabled, security_manager
 from superset.advanced_data_type.types import AdvancedDataTypeResponse
 from superset.common.db_query_status import QueryStatus
 from superset.common.utils.time_range_utils import get_since_until_from_time_range
@@ -580,7 +580,7 @@ def __init__(  # pylint: disable=too-many-arguments
         to_dttm: Optional[datetime] = None,
     ) -> None:
         self.df = df
-        self.query = query
+        self.query = query if security_manager.can_access('can_view_query', 'Dashboard') else ''
         self.duration = duration
         self.applied_template_filters = applied_template_filters or []
         self.applied_filter_columns = applied_filter_columns or []