feat(dao): admin can remove self from object owners #15149
Conversation
| if user.id not in owner_ids: | ||
| if user.id not in owner_ids and "admin" not in [ | ||
| role.name.lower() for role in user.roles | ||
| ]: |
There was a problem hiding this comment.
A bit out of scope, but there's an is_user_admin() on superset.views.base, seems misplaced and it probably would make more sense to place it on security manager. Also it uses g.user.
Another concern is that we may have a previous problem here regarding anonymous users (public access)
tests/charts/api_tests.py
Outdated
| @@ -564,12 +564,13 @@ def test_update_chart_new_owner(self): | |||
| gamma = self.get_user("gamma") | |||
| admin = self.get_user("admin") | |||
| chart_id = self.insert_chart("title", [gamma.id], 1).id | |||
| chart_data = {"slice_name": "title1_changed"} | |||
| chart_data = {"slice_name": "title1_changed", "owners": [admin.id]} | |||
There was a problem hiding this comment.
Would be nice to add a gamma user test also. Seems to be missing the same kind of test for reports and datasets
villebro
force-pushed
the
villebro/command-mixin
branch
from
7a463f5 to
7ffe6bf
Compare
Codecov Report
@@ Coverage Diff @@
## master #15149 +/- ##
==========================================
- Coverage 76.71% 76.50% -0.22%
==========================================
Files 996 996
Lines 53080 53090 +10
Branches 6739 6739
==========================================
- Hits 40721 40615 -106
- Misses 12130 12246 +116
Partials 229 229
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
villebro
force-pushed
the
villebro/command-mixin
branch
from
7ffe6bf to
45945ac
Compare
|
@villebro Ephemeral environment spinning up at http://54.184.78.24:8080. Credentials are |
|
/testenv up |
|
@kgabryje Ephemeral environment spinning up at http://34.210.173.44:8080. Credentials are |
|
Ephemeral environment shutdown and build artifacts deleted. |
(cherry picked from commit d6f9c48)
…gies * upstream/master: (64 commits) check roles before fetching reports (#16260) chore: upgrade mypy and add type guards (#16227) fix: pivot columns with ints for name (#16259) chore(pylint): Bump Pylint to 2.9.6 (#16146) fix examples tab for dashboard (#16253) chore: bump superset-ui packages to 0.17.84 (#16251) chore: Shows the dataset description in the gallery dropdown (#16200) fix(Dashboard): Omnibar dropdown visibility and keyboard commands (#16168) chore: bump py version for integration test (#16213) fix: skip perms on query context update (#16250) refactor: external metadata fetch API (#16193) feat(dao): admin can remove self from object owners (#15149) fix(dashboard): cross filter chart highlight when filters badge icon clicked (#16233) fix: validate_parameters and query (#16241) fix: Remove Advanced Analytics tag for 2 charts (#16240) Revert "feat: Changing Dataset names (#16199)" (#16235) feat: Allow users to connect via legacy SQLA form (#16201) fix: remove encryption from db params (#16214) fix(Explore): Show the tooltip only when label does not fit the container in METRICS/FILTERS/GROUP BY/SORT BY of the DATA panel (#16060) Show/hide tooltips (#16192) ... # Conflicts: # superset/tasks/caching/cache_strategy.py
mistercrunch
added
🏷️ bot
SUMMARY
Currently it is impossible for users to remove themselves from the list of users. This is to avoid the risk of a user mistakenly being "locked out" of a chart/dashboard/etc. This can be inconvenient if an admin edits an object, as they automatically become owners of the edited object.
This PR changes the logic as follows:
The following is unchanged:
BEFORE
Currently an admin is unable to remove themselves from the list of owners:
https://user-images.githubusercontent.com/33317356/121895878-5fd3c780-cd29-11eb-875b-273c323fc17e.mp4
AFTER
Now the admin can remove themselves from the owners:
https://user-images.githubusercontent.com/33317356/121895941-72e69780-cd29-11eb-988e-2ebea36a6c04.mp4
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION