[security] improving the security scheme (#1587)

* [security] improving the security scheme * Addressing comments * improving docs * Creating security module to organize things * Moving CLI to its own module * perms * Materializung perms * progrss * Addressing comments, linting
2026-04-19 16:14:52 +00:00 · 2016-11-17 11:58:33 -08:00
parent aad9744d85
commit bce02e3f51
19 changed files with 765 additions and 543 deletions
--- a/tests/core_tests.py
+++ b/tests/core_tests.py
@@ -24,8 +24,6 @@ class CoreTests(SupersetTestCase):
    requires_examples = True

    def __init__(self, *args, **kwargs):
-        # Load examples first, so that we setup proper permission-view
-        # relations for all example data sources.
        super(CoreTests, self).__init__(*args, **kwargs)

    @classmethod
@@ -118,7 +116,9 @@ class CoreTests(SupersetTestCase):

    def test_save_slice(self):
        self.login(username='admin')
-        slice_id = self.get_slice("Energy Sankey", db.session).id
+        slice_name = "Energy Sankey"
+        slice_id = self.get_slice(slice_name, db.session).id
+        db.session.commit()
        copy_name = "Test Sankey Save"
        tbl_id = self.table_ids.get('energy_usage')
        url = (
@@ -128,9 +128,15 @@ class CoreTests(SupersetTestCase):
            "collapsed_fieldsets=&action={}&datasource_name=energy_usage&"
            "datasource_id=1&datasource_type=table&previous_viz_type=sankey")

-        db.session.commit()
+        # Changing name
        resp = self.get_resp(url.format(tbl_id, slice_id, copy_name, 'save'))
        assert copy_name in resp
+
+        # Setting the name back to its original name
+        resp = self.get_resp(url.format(tbl_id, slice_id, slice_name, 'save'))
+        assert slice_name in resp
+
+        # Doing a basic overwrite
        assert 'Energy' in self.get_resp(
            url.format(tbl_id, slice_id, copy_name, 'overwrite'))

@@ -281,15 +287,15 @@ class CoreTests(SupersetTestCase):
        assert "List Dashboard" in self.get_resp('/dashboardmodelview/list/')

    def test_csv_endpoint(self):
+        self.login('admin')
        sql = """
            SELECT first_name, last_name
            FROM ab_user
            WHERE first_name='admin'
        """
        client_id = "{}".format(random.getrandbits(64))[:10]
-        self.run_sql(sql, 'admin', client_id)
+        self.run_sql(sql, client_id)

-        self.login('admin')
        resp = self.get_resp('/superset/csv/{}'.format(client_id))
        data = csv.reader(io.StringIO(resp))
        expected_data = csv.reader(
@@ -299,36 +305,48 @@ class CoreTests(SupersetTestCase):
        self.logout()

    def test_public_user_dashboard_access(self):
+        table = (
+            db.session
+            .query(models.SqlaTable)
+            .filter_by(table_name='birth_names')
+            .one()
+        )
        # Try access before adding appropriate permissions.
-        self.revoke_public_access('birth_names')
+        self.revoke_public_access_to_table(table)
        self.logout()

        resp = self.get_resp('/slicemodelview/list/')
-        assert 'birth_names</a>' not in resp
+        self.assertNotIn('birth_names</a>', resp)

        resp = self.get_resp('/dashboardmodelview/list/')
-        assert '/superset/dashboard/births/' not in resp
+        self.assertNotIn('/superset/dashboard/births/', resp)

-        self.setup_public_access_for_dashboard('birth_names')
+        self.grant_public_access_to_table(table)

        # Try access after adding appropriate permissions.
-        assert 'birth_names' in self.get_resp('/slicemodelview/list/')
+        self.assertIn('birth_names', self.get_resp('/slicemodelview/list/'))

        resp = self.get_resp('/dashboardmodelview/list/')
-        assert "/superset/dashboard/births/" in resp
+        self.assertIn("/superset/dashboard/births/", resp)

-        assert 'Births' in self.get_resp('/superset/dashboard/births/')
+        self.assertIn('Births', self.get_resp('/superset/dashboard/births/'))

        # Confirm that public doesn't have access to other datasets.
        resp = self.get_resp('/slicemodelview/list/')
-        assert 'wb_health_population</a>' not in resp
+        self.assertNotIn('wb_health_population</a>', resp)

        resp = self.get_resp('/dashboardmodelview/list/')
-        assert "/superset/dashboard/world_health/" not in resp
+        self.assertNotIn("/superset/dashboard/world_health/", resp)

    def test_dashboard_with_created_by_can_be_accessed_by_public_users(self):
        self.logout()
-        self.setup_public_access_for_dashboard('birth_names')
+        table = (
+            db.session
+            .query(models.SqlaTable)
+            .filter_by(table_name='birth_names')
+            .one()
+        )
+        self.grant_public_access_to_table(table)

        dash = db.session.query(models.Dashboard).filter_by(dashboard_title="Births").first()
        dash.owners = [appbuilder.sm.find_user('admin')]
@@ -382,8 +400,9 @@ class CoreTests(SupersetTestCase):
        self.assertEqual("SELECT '2017-01-01T00:00:00'", rendered)

    def test_templated_sql_json(self):
+        self.login('admin')
        sql = "SELECT '{{ datetime(2017, 1, 1).isoformat() }}' as test"
-        data = self.run_sql(sql, "admin", "fdaklj3ws")
+        data = self.run_sql(sql, "fdaklj3ws")
        self.assertEqual(data['data'][0]['test'], "2017-01-01T00:00:00")

    def test_table_metadata(self):