From ef5e11f45b06f8cceb24b6a19f10ff2e31a78832 Mon Sep 17 00:00:00 2001 From: Aliaksei Kushniarevich Date: Wed, 15 Apr 2020 16:41:54 +0300 Subject: [PATCH] [copy] fix: Row Level Security get_rls_filters func SELECT statement (#9541) * fix: Row Level Security get_rls_filters func SELECT statement * More general RowLevelSecurityTests case to avoid improper ids matching --- superset/security/manager.py | 2 +- tests/security_tests.py | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/superset/security/manager.py b/superset/security/manager.py index 2d720965ae5a5..01c80d6cb6a9a 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -919,7 +919,7 @@ def get_rls_filters(self, table: "BaseDatasource"): .subquery() ) filter_roles = ( - db.session.query(RLSFilterRoles.c.id) + db.session.query(RLSFilterRoles.c.rls_filter_id) .filter(RLSFilterRoles.c.role_id.in_(user_roles)) .subquery() ) diff --git a/tests/security_tests.py b/tests/security_tests.py index 7b8df262fea42..476b67019f15a 100644 --- a/tests/security_tests.py +++ b/tests/security_tests.py @@ -833,10 +833,11 @@ def setUp(self): self.rls_entry.table = ( session.query(SqlaTable).filter_by(table_name="birth_names").first() ) - self.rls_entry.clause = "gender = 'male'" + self.rls_entry.clause = "gender = 'boy'" self.rls_entry.roles.append( security_manager.find_role("Gamma") ) # db.session.query(Role).filter_by(name="Gamma").first()) + self.rls_entry.roles.append(security_manager.find_role("Alpha")) db.session.add(self.rls_entry) db.session.commit() @@ -849,7 +850,7 @@ def tearDown(self): # Do another test to make sure it doesn't alter another query def test_rls_filter_alters_query(self): g.user = self.get_user( - username="gamma" + username="alpha" ) # self.login() doesn't actually set the user tbl = self.get_table_by_name("birth_names") query_obj = dict( @@ -864,7 +865,7 @@ def test_rls_filter_alters_query(self): extras={}, ) sql = tbl.get_query_str(query_obj) - self.assertIn("gender = 'male'", sql) + self.assertIn("gender = 'boy'", sql) def test_rls_filter_doesnt_alter_query(self): g.user = self.get_user( @@ -883,4 +884,4 @@ def test_rls_filter_doesnt_alter_query(self): extras={}, ) sql = tbl.get_query_str(query_obj) - self.assertNotIn("gender = 'male'", sql) + self.assertNotIn("gender = 'boy'", sql)