From 2d00c63b757b399247e8e284b1af7db36df869ba Mon Sep 17 00:00:00 2001 From: John Bodley Date: Fri, 4 Aug 2023 08:17:03 -0700 Subject: [PATCH] Revert "fix(embedded): adding logic to check dataset used by filters (#24808)" This reverts commit 7f9b0380e0e9f192402efda014ff39469881859b. --- superset/security/manager.py | 25 +--------- .../security/guest_token_security_tests.py | 46 ------------------- 2 files changed, 2 insertions(+), 69 deletions(-) diff --git a/superset/security/manager.py b/superset/security/manager.py index 7c95bfd3d512b..aedf4fc0f1dd2 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -16,7 +16,6 @@ # under the License. # pylint: disable=too-many-lines """A set of constants and methods to manage permissions and security""" -import json import logging import re import time @@ -2059,28 +2058,8 @@ def can_access_based_on_dashboard(datasource: "BaseDatasource") -> bool: .filter(Dashboard.id.in_(dashboard_ids)) ) - if db.session.query(query.exists()).scalar(): - return True - - # check for datasets that are only used by filters - dashboards_json = ( - db.session.query(Dashboard.json_metadata) - .filter(Dashboard.id.in_(dashboard_ids)) - .all() - ) - for json_ in dashboards_json: - try: - json_metadata = json.loads(json_.json_metadata) - for filter_ in json_metadata.get("native_filter_configuration", []): - filter_dataset_ids = [ - target.get("datasetId") for target in filter_.get("targets", []) - ] - if datasource.id in filter_dataset_ids: - return True - except ValueError: - pass - - return False + exists = db.session.query(query.exists()).scalar() + return exists @staticmethod def _get_current_epoch_time() -> float: diff --git a/tests/integration_tests/security/guest_token_security_tests.py b/tests/integration_tests/security/guest_token_security_tests.py index e5bf589184396..e0517c9b28ae3 100644 --- a/tests/integration_tests/security/guest_token_security_tests.py +++ b/tests/integration_tests/security/guest_token_security_tests.py @@ -15,21 +15,18 @@ # specific language governing permissions and limitations # under the License. """Unit tests for Superset""" -import json from unittest import mock import pytest from flask import g from superset import db, security_manager -from superset.connectors.sqla.models import SqlaTable from superset.daos.dashboard import EmbeddedDashboardDAO from superset.dashboards.commands.exceptions import DashboardAccessDeniedError from superset.exceptions import SupersetSecurityException from superset.models.dashboard import Dashboard from superset.security.guest_token import GuestTokenResourceType from superset.sql_parse import Table -from superset.utils.database import get_example_database from tests.integration_tests.base_tests import SupersetTestCase from tests.integration_tests.fixtures.birth_names_dashboard import ( load_birth_names_dashboard_with_slices, @@ -236,46 +233,3 @@ def test_raise_for_dashboard_access_as_guest_no_rbac(self): db.session.delete(dash) db.session.commit() - - def test_can_access_datasource_used_in_dashboard_filter(self): - """ - Test that a user can access a datasource used only by a filter in a dashboard - they have access to. - """ - # Create a test dataset - test_dataset = SqlaTable( - database_id=get_example_database().id, - schema="main", - table_name="test_table_embedded_filter", - ) - db.session.add(test_dataset) - db.session.commit() - - # Create an embedabble dashboard with a filter powered by the test dataset - test_dashboard = Dashboard() - test_dashboard.dashboard_title = "Test Embedded Dashboard" - test_dashboard.json_metadata = json.dumps( - { - "native_filter_configuration": [ - {"targets": [{"datasetId": test_dataset.id}]} - ] - } - ) - test_dashboard.owners = [] - test_dashboard.slices = [] - test_dashboard.published = False - db.session.add(test_dashboard) - db.session.commit() - self.embedded = EmbeddedDashboardDAO.upsert(test_dashboard, []) - - # grant access to the dashboad - g.user = self.authorized_guest - g.user.resources = [{"type": "dashboard", "id": str(self.embedded.uuid)}] - g.user.roles = [security_manager.get_public_role()] - - # The user should have access to the datasource via the dashboard - security_manager.raise_for_access(datasource=test_dataset) - - db.session.delete(test_dashboard) - db.session.delete(test_dataset) - db.session.commit()