Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support DB perms #8816

Closed
wants to merge 1 commit into from
Closed

Support DB perms #8816

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 29 additions & 7 deletions superset/views/core.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,13 @@
Response,
url_for,
)
from flask_appbuilder import expose
from flask_appbuilder import expose, Model
from flask_appbuilder.actions import action
from flask_appbuilder.models.sqla.interface import SQLAInterface
from flask_appbuilder.security.decorators import has_access, has_access_api
from flask_appbuilder.security.sqla import models as ab_models
from flask_babel import gettext as __, lazy_gettext as _
from sqlalchemy import and_, Integer, or_, select
from sqlalchemy import and_, Column, ForeignKey, Integer, or_, select, Table
from sqlalchemy.exc import SQLAlchemyError
from sqlalchemy.orm.session import Session
from werkzeug.routing import BaseConverter
Expand Down Expand Up @@ -244,14 +244,32 @@ def _deserialize_results_payload(
return json.loads(payload) # type: ignore


SQLTable = Table(
"tables",
Model.metadata, # pylint: disable=no-member
Column("id", Integer, primary_key=True),
Column("database_id", Integer, ForeignKey("dbs.id")),
extend_existing=True,
)


class SliceFilter(BaseFilter):
def apply(self, query, func): # noqa
if security_manager.all_datasource_access():
return query
perms = security_manager.user_view_menu_names("datasource_access")
database_perms = security_manager.user_view_menu_names("database_access")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think about materializing db permissions in the tables and slices?
this would simplify the checks significantly.

datasource_perms = security_manager.user_view_menu_names("datasource_access")
schema_perms = security_manager.user_view_menu_names("schema_access")
return query.filter(
or_(self.model.perm.in_(perms), self.model.schema_perm.in_(schema_perms))
return (
query.outerjoin(SQLTable, self.model.datasource_id == SQLTable.c.id)
.outerjoin(models.Database, models.Database.id == SQLTable.c.database_id)
.filter(
or_(
models.Database.perm.in_(database_perms),
self.model.schema_perm.in_(schema_perms),
self.model.perm.in_(datasource_perms),
)
)
)


Expand All @@ -277,19 +295,23 @@ def apply(self, query, func):
if "admin" in user_roles:
return query

database_perms = security_manager.user_view_menu_names("database_access")
datasource_perms = security_manager.user_view_menu_names("datasource_access")
schema_perms = security_manager.user_view_menu_names("schema_access")
all_datasource_access = security_manager.all_datasource_access()
published_dash_query = (
db.session.query(Dash.id)
.join(Dash.slices)
.outerjoin(SQLTable, Slice.datasource_id == SQLTable.c.id)
.outerjoin(models.Database, models.Database.id == SQLTable.c.database_id)
.filter(
and_(
Dash.published == True, # noqa
or_(
Slice.perm.in_(datasource_perms),
Slice.schema_perm.in_(schema_perms),
all_datasource_access,
models.Database.perm.in_(database_perms),
Slice.schema_perm.in_(schema_perms),
Slice.perm.in_(datasource_perms),
),
)
)
Expand Down