This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git
The following commit(s) were added to refs/heads/master by this push:
new 562012c fix(permissions): alpha role has all full features (#10241)
562012c is described below
commit 562012c5869bf4ef45349e81c48f10e27ff5aae3
Author: Daniel Vaz Gaspar <danielvazgas...@gmail.com>
AuthorDate: Mon Jul 27 10:32:30 2020 +0100
fix(permissions): alpha role has all full features (#10241)
* fix(permissions): alpha role is inconsistent
* reverse and allow Alpha to access manager menu
* Bump FAB to 3.0.1rc1 to include del permission fix
* add docs, tests and UPDATING
* EOL
* Fix query view for Alpha
---
UPDATING.md | 2 ++
docs/security.rst | 5 +++--
superset/security/manager.py | 10 +++++++---
tests/security_tests.py | 23 ++++++++++++++++++++++-
4 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/UPDATING.md b/UPDATING.md
index 420cb03..b65c19d 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -23,6 +23,8 @@ assists people when migrating to a new version.
## Next
+* [10241](https://github.com/apache/incubator-superset/pull/10241): change on
Alpha role, users started to have access to "Annotation Layers", "Css
Templates" and "Import Dashboards".
+
* [10324](https://github.com/apache/incubator-superset/pull/10324): Facebook
Prophet has been introduced as an optional dependency to add support for
timeseries forecasting in the chart data API. To enable this feature, install
Superset with the optional dependency `prophet` or directly `pip install
fbprophet`.
* [10320](https://github.com/apache/incubator-superset/pull/10320): References
to blacklst/whitelist language have been replaced with more appropriate
alternatives. All configs refencing containing `WHITE`/`BLACK` have been
replaced with `ALLOW`/`DENY`. Affected config variables that need to be
updated: `TIME_GRAIN_BLACKLIST`, `VIZ_TYPE_BLACKLIST`,
`DRUID_DATA_SOURCE_BLACKLIST`.
diff --git a/docs/security.rst b/docs/security.rst
index 911aabe..29afdce 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -46,8 +46,9 @@ other users and altering other people's slices and dashboards.
Alpha
"""""
-Alpha users have access to all data sources, but they cannot grant or revoke
access
-from other users. They are also limited to altering the objects that they
+Alpha users have access to all data sources, and all features except SQLLab and
+security, so they cannot grant or revoke access from other users.
+They are also limited to altering the objects that they
own. Alpha users can add and alter data sources.
Gamma
diff --git a/superset/security/manager.py b/superset/security/manager.py
index 56d0b4e..da92d16 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -128,9 +128,7 @@ class SupersetSecurityManager( # pylint:
disable=too-many-public-methods
ADMIN_ONLY_VIEW_MENUS = {
"AccessRequestsModelView",
- "Manage",
"SQL Lab",
- "Queries",
"Refresh Druid Metadata",
"ResetPasswordView",
"RoleModelView",
@@ -139,7 +137,13 @@ class SupersetSecurityManager( # pylint:
disable=too-many-public-methods
"RowLevelSecurityFiltersModelView",
} | USER_MODEL_VIEWS
- ALPHA_ONLY_VIEW_MENUS = {"Upload a CSV"}
+ ALPHA_ONLY_VIEW_MENUS = {
+ "Manage",
+ "CSS Templates",
+ "Queries",
+ "Import dashboards",
+ "Upload a CSV",
+ }
ADMIN_ONLY_PERMISSIONS = {
"can_sql_json", # TODO: move can_sql_json to sql_lab role
diff --git a/tests/security_tests.py b/tests/security_tests.py
index fb8e81e..60d20fd 100644
--- a/tests/security_tests.py
+++ b/tests/security_tests.py
@@ -570,6 +570,9 @@ class TestRolePermission(SupersetTestCase):
self.assert_can_read(view_menu, permissions_set)
self.assert_can_write(view_menu, permissions_set)
+ def assert_can_menu(self, view_menu, permissions_set):
+ self.assertIn(("menu_access", view_menu), permissions_set)
+
def assert_can_gamma(self, perm_set):
self.assert_can_read("TableModelView", perm_set)
@@ -592,10 +595,24 @@ class TestRolePermission(SupersetTestCase):
self.assertIn(("can_explore", "Superset"), perm_set)
self.assertIn(("can_explore_json", "Superset"), perm_set)
self.assertIn(("can_userinfo", "UserDBModelView"), perm_set)
+ self.assert_can_menu("Databases", perm_set)
+ self.assert_can_menu("Tables", perm_set)
+ self.assert_can_menu("Sources", perm_set)
+ self.assert_can_menu("Charts", perm_set)
+ self.assert_can_menu("Dashboards", perm_set)
def assert_can_alpha(self, perm_set):
+ self.assert_can_all("AnnotationLayerModelView", perm_set)
+ self.assert_can_all("CssTemplateModelView", perm_set)
self.assert_can_all("TableModelView", perm_set)
-
+ self.assert_can_read("QueryView", perm_set)
+ self.assertIn(("can_import_dashboards", "Superset"), perm_set)
+ self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set)
+ self.assertIn(("can_this_form_get", "CsvToDatabaseView"), perm_set)
+ self.assert_can_menu("Manage", perm_set)
+ self.assert_can_menu("Annotation Layers", perm_set)
+ self.assert_can_menu("CSS Templates", perm_set)
+ self.assert_can_menu("Upload a CSV", perm_set)
self.assertIn(("all_datasource_access", "all_datasource_access"),
perm_set)
def assert_cannot_alpha(self, perm_set):
@@ -617,6 +634,10 @@ class TestRolePermission(SupersetTestCase):
self.assertIn(("can_override_role_permissions", "Superset"), perm_set)
self.assertIn(("can_approve", "Superset"), perm_set)
+ self.assert_can_menu("Security", perm_set)
+ self.assert_can_menu("List Users", perm_set)
+ self.assert_can_menu("List Roles", perm_set)
+
def test_is_admin_only(self):
self.assertFalse(
security_manager._is_admin_only(
