fix: database permissions on update and delete (avoid orphaned perms) (#20081)

* fix: database permissions on update and delete (avoid orphaned perms) * fix event transaction * fix test * fix lint * update datasource access permissions * add tests * fix import * fix tests * update slice and dataset perms also * fix lint * fix tests * fix lint * fix lint * add test for edge case, small refactor * add test for edge case, small refactor * improve code * fix lint
2026-05-07 08:54:23 +00:00 · 2022-08-02 18:28:46 +01:00
parent 34ad80c642
commit bfd2a3d79f
6 changed files with 430 additions and 5 deletions
--- a/superset/databases/commands/update.py
+++ b/superset/databases/commands/update.py
@@ -44,10 +44,13 @@ class UpdateDatabaseCommand(BaseCommand):

    def run(self) -> Model:
        self.validate()
+        if not self._model:
+            raise DatabaseNotFoundError()
+        old_database_name = self._model.database_name
+
        try:
            database = DatabaseDAO.update(self._model, self._properties, commit=False)
            database.set_sqlalchemy_uri(database.sqlalchemy_uri)
-            security_manager.add_permission_view_menu("database_access", database.perm)
            # adding a new database we always want to force refresh schema list
            # TODO Improve this simplistic implementation for catching DB conn fails
            try:
@@ -55,7 +58,24 @@ class UpdateDatabaseCommand(BaseCommand):
            except Exception as ex:
                db.session.rollback()
                raise DatabaseConnectionFailedError() from ex
+            # Update database schema permissions
+            new_schemas: List[str] = []
            for schema in schemas:
+                old_view_menu_name = security_manager.get_schema_perm(
+                    old_database_name, schema
+                )
+                new_view_menu_name = security_manager.get_schema_perm(
+                    database.database_name, schema
+                )
+                schema_pvm = security_manager.find_permission_view_menu(
+                    "schema_access", old_view_menu_name
+                )
+                # Update the schema permission if the database name changed
+                if schema_pvm and old_database_name != database.database_name:
+                    schema_pvm.view_menu.name = new_view_menu_name
+                else:
+                    new_schemas.append(schema)
+            for schema in new_schemas:
                security_manager.add_permission_view_menu(
                    "schema_access", security_manager.get_schema_perm(database, schema)
                )