fix(rbac): show objects accessible by database access perm (#23118)

(cherry picked from commit 89576f8a87)
2026-05-08 01:15:46 +00:00 · 2023-02-24 10:45:16 +02:00
parent 9096e27794
commit ae6e2a00a0
8 changed files with 116 additions and 63 deletions
--- a/tests/integration_tests/datasets/api_tests.py
+++ b/tests/integration_tests/datasets/api_tests.py
@@ -239,28 +239,47 @@ class TestDatasetApi(SupersetTestCase):
        response = json.loads(rv.data.decode("utf-8"))
        assert response["result"] == []

-    def test_get_dataset_list_gamma_owned(self):
+    def test_get_dataset_list_gamma_has_database_access(self):
        """
-        Dataset API: Test get dataset list owned by gamma
+        Dataset API: Test get dataset list with database access
        """
        if backend() == "sqlite":
            return

-        main_db = get_main_database()
-        owned_dataset = self.insert_dataset(
-            "ab_user", [self.get_user("gamma").id], main_db
-        )
-
        self.login(username="gamma")
+
+        # create new dataset
+        main_db = get_main_database()
+        dataset = self.insert_dataset("ab_user", [], main_db)
+
+        # make sure dataset is not visible due to missing perms
        uri = "api/v1/dataset/"
        rv = self.get_assert_metric(uri, "get_list")
        assert rv.status_code == 200
        response = json.loads(rv.data.decode("utf-8"))

-        assert response["count"] == 1
-        assert response["result"][0]["table_name"] == "ab_user"
+        assert response["count"] == 0

-        db.session.delete(owned_dataset)
+        # give database access to main db
+        main_db_pvm = security_manager.find_permission_view_menu(
+            "database_access", main_db.perm
+        )
+        gamma_role = security_manager.find_role("Gamma")
+        gamma_role.permissions.append(main_db_pvm)
+        db.session.commit()
+
+        # make sure dataset is now visible
+        uri = "api/v1/dataset/"
+        rv = self.get_assert_metric(uri, "get_list")
+        assert rv.status_code == 200
+        response = json.loads(rv.data.decode("utf-8"))
+
+        tables = {tbl["table_name"] for tbl in response["result"]}
+        assert tables == {"ab_user"}
+
+        # revert gamma permission
+        gamma_role.permissions.remove(main_db_pvm)
+        db.session.delete(dataset)
        db.session.commit()

    def test_get_dataset_related_database_gamma(self):
@@ -2255,6 +2274,8 @@ class TestDatasetApi(SupersetTestCase):
        assert len(new_dataset.columns) == 2
        assert new_dataset.columns[0].column_name == "id"
        assert new_dataset.columns[1].column_name == "name"
+        db.session.delete(new_dataset)
+        db.session.commit()

    @pytest.mark.usefixtures("create_datasets")
    def test_duplicate_physical_dataset(self):