-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: dashboard get by id or slug access filter #22358
Changes from all commits
efb02da
c80cc0d
c81586d
d87266f
f623207
ce9428f
9bf63fc
b5b1e84
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -225,15 +225,36 @@ def test_get_dashboard_datasets_not_found(self): | |
response = self.get_assert_metric(uri, "get_datasets") | ||
self.assertEqual(response.status_code, 404) | ||
|
||
@pytest.mark.usefixtures("load_world_bank_dashboard_with_slices") | ||
def test_get_draft_dashboard_datasets(self): | ||
@pytest.mark.usefixtures("create_dashboards") | ||
def test_get_gamma_dashboard_datasets(self): | ||
""" | ||
All users should have access to dashboards without roles | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yes this PR removes it. I'm setting |
||
Check that a gamma user with data access can access dashboard/datasets | ||
""" | ||
from superset.connectors.sqla.models import SqlaTable | ||
|
||
# Set correct role permissions | ||
gamma_role = security_manager.find_role("Gamma") | ||
fixture_dataset = db.session.query(SqlaTable).get(1) | ||
data_access_pvm = security_manager.add_permission_view_menu( | ||
"datasource_access", fixture_dataset.perm | ||
) | ||
gamma_role.permissions.append(data_access_pvm) | ||
db.session.commit() | ||
|
||
self.login(username="gamma") | ||
uri = "api/v1/dashboard/world_health/datasets" | ||
dashboard = self.dashboards[0] | ||
dashboard.published = True | ||
db.session.commit() | ||
|
||
uri = f"api/v1/dashboard/{dashboard.id}/datasets" | ||
response = self.get_assert_metric(uri, "get_datasets") | ||
self.assertEqual(response.status_code, 200) | ||
assert response.status_code == 200 | ||
|
||
# rollback permission change | ||
data_access_pvm = security_manager.find_permission_view_menu( | ||
"datasource_access", fixture_dataset.perm | ||
) | ||
security_manager.del_permission_role(gamma_role, data_access_pvm) | ||
|
||
@pytest.mark.usefixtures("create_dashboards") | ||
def get_dashboard_by_slug(self): | ||
|
@@ -319,17 +340,45 @@ def test_get_dashboard_charts_not_found(self): | |
response = self.get_assert_metric(uri, "get_charts") | ||
self.assertEqual(response.status_code, 404) | ||
|
||
@pytest.mark.usefixtures("load_world_bank_dashboard_with_slices") | ||
def test_get_dashboard_datasets_not_allowed(self): | ||
self.login(username="gamma") | ||
uri = "api/v1/dashboard/world_health/datasets" | ||
response = self.get_assert_metric(uri, "get_datasets") | ||
self.assertEqual(response.status_code, 404) | ||
|
||
@pytest.mark.usefixtures("create_dashboards") | ||
def test_get_draft_dashboard_charts(self): | ||
def test_get_gamma_dashboard_charts(self): | ||
""" | ||
All users should have access to draft dashboards without roles | ||
Check that a gamma user with data access can access dashboard/charts | ||
""" | ||
from superset.connectors.sqla.models import SqlaTable | ||
|
||
# Set correct role permissions | ||
gamma_role = security_manager.find_role("Gamma") | ||
fixture_dataset = db.session.query(SqlaTable).get(1) | ||
data_access_pvm = security_manager.add_permission_view_menu( | ||
"datasource_access", fixture_dataset.perm | ||
) | ||
gamma_role.permissions.append(data_access_pvm) | ||
db.session.commit() | ||
|
||
self.login(username="gamma") | ||
|
||
dashboard = self.dashboards[0] | ||
dashboard.published = True | ||
db.session.commit() | ||
|
||
uri = f"api/v1/dashboard/{dashboard.id}/charts" | ||
response = self.get_assert_metric(uri, "get_charts") | ||
assert response.status_code == 200 | ||
|
||
# rollback permission change | ||
data_access_pvm = security_manager.find_permission_view_menu( | ||
"datasource_access", fixture_dataset.perm | ||
) | ||
security_manager.del_permission_role(gamma_role, data_access_pvm) | ||
|
||
@pytest.mark.usefixtures("create_dashboards") | ||
def test_get_dashboard_charts_empty(self): | ||
""" | ||
|
@@ -451,7 +500,7 @@ def test_get_dashboard_no_data_access(self): | |
self.login(username="gamma") | ||
uri = f"api/v1/dashboard/{dashboard.id}" | ||
rv = self.client.get(uri) | ||
assert rv.status_code == 200 | ||
assert rv.status_code == 404 | ||
# rollback changes | ||
db.session.delete(dashboard) | ||
db.session.commit() | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't FAB fetch all the relationships as well, i.e., why do we need to explicitly compose a query which joins all the related models?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it does but the get item endpoint for dashboards is custom on Superset because we need to fetch a dashboard by
id
orslug
, so on this case we need to custom develop. FABModelRestApi
on get item endpoints will get item by the table primary key