mirror of
https://github.com/apache/superset.git
synced 2026-05-11 19:05:24 +00:00
fix: chart import validation (#26993)
This commit is contained in:
Daniel Vaz Gaspar
committed by
Michael S. Molina
Michael S. Molina
parent
e772915bb8
commit
c029475f60
@@ -16,12 +16,16 @@
|
||||
# under the License.
|
||||
|
||||
import pytest
|
||||
from flask_appbuilder.security.sqla.models import Role, User
|
||||
from pytest_mock import MockFixture
|
||||
|
||||
from superset.common.query_object import QueryObject
|
||||
from superset.connectors.sqla.models import Database, SqlaTable
|
||||
from superset.exceptions import SupersetSecurityException
|
||||
from superset.extensions import appbuilder
|
||||
from superset.models.slice import Slice
|
||||
from superset.security.manager import SupersetSecurityManager
|
||||
from superset.utils.core import override_user
|
||||
|
||||
|
||||
def test_security_manager(app_context: None) -> None:
|
||||
@@ -164,3 +168,139 @@ def test_raise_for_access_query_default_schema(
|
||||
== """You need access to the following tables: `public.ab_user`,
|
||||
`all_database_access` or `all_datasource_access` permission"""
|
||||
)
|
||||
|
||||
|
||||
def test_raise_for_access_chart_for_datasource_permission(
|
||||
mocker: MockFixture,
|
||||
app_context: None,
|
||||
) -> None:
|
||||
"""
|
||||
Test that the security manager can raise an exception for chart access,
|
||||
when the user does not have access to the chart datasource
|
||||
"""
|
||||
sm = SupersetSecurityManager(appbuilder)
|
||||
session = sm.get_session
|
||||
|
||||
engine = session.get_bind()
|
||||
Slice.metadata.create_all(engine) # pylint: disable=no-member
|
||||
|
||||
alpha = User(
|
||||
first_name="Alice",
|
||||
last_name="Doe",
|
||||
email="adoe@example.org",
|
||||
username="admin",
|
||||
roles=[Role(name="Alpha")],
|
||||
)
|
||||
|
||||
dataset = SqlaTable(
|
||||
table_name="test_table",
|
||||
metrics=[],
|
||||
main_dttm_col=None,
|
||||
database=Database(database_name="my_database", sqlalchemy_uri="sqlite://"),
|
||||
)
|
||||
session.add(dataset)
|
||||
session.flush()
|
||||
|
||||
slice = Slice(
|
||||
id=1,
|
||||
datasource_id=dataset.id,
|
||||
datasource_type="table",
|
||||
datasource_name="tmp_perm_table",
|
||||
slice_name="slice_name",
|
||||
)
|
||||
session.add(slice)
|
||||
session.flush()
|
||||
|
||||
mocker.patch.object(sm, "can_access_datasource", return_value=False)
|
||||
with override_user(alpha):
|
||||
with pytest.raises(SupersetSecurityException) as excinfo:
|
||||
sm.raise_for_access(
|
||||
chart=slice,
|
||||
)
|
||||
assert str(excinfo.value) == "You don't have access to this chart."
|
||||
|
||||
mocker.patch.object(sm, "can_access_datasource", return_value=True)
|
||||
with override_user(alpha):
|
||||
sm.raise_for_access(
|
||||
chart=slice,
|
||||
)
|
||||
|
||||
|
||||
def test_raise_for_access_chart_on_admin(
|
||||
app_context: None,
|
||||
) -> None:
|
||||
"""
|
||||
Test that the security manager can raise an exception for chart access,
|
||||
when the user does not have access to the chart datasource
|
||||
"""
|
||||
from flask_appbuilder.security.sqla.models import Role, User
|
||||
|
||||
from superset.models.slice import Slice
|
||||
from superset.utils.core import override_user
|
||||
|
||||
sm = SupersetSecurityManager(appbuilder)
|
||||
session = sm.get_session
|
||||
|
||||
engine = session.get_bind()
|
||||
Slice.metadata.create_all(engine) # pylint: disable=no-member
|
||||
|
||||
admin = User(
|
||||
first_name="Alice",
|
||||
last_name="Doe",
|
||||
email="adoe@example.org",
|
||||
username="admin",
|
||||
roles=[Role(name="Admin")],
|
||||
)
|
||||
|
||||
slice = Slice(
|
||||
id=1,
|
||||
datasource_id=1,
|
||||
datasource_type="table",
|
||||
datasource_name="tmp_perm_table",
|
||||
slice_name="slice_name",
|
||||
)
|
||||
session.add(slice)
|
||||
session.flush()
|
||||
|
||||
with override_user(admin):
|
||||
sm.raise_for_access(
|
||||
chart=slice,
|
||||
)
|
||||
|
||||
|
||||
def test_raise_for_access_chart_owner(
|
||||
app_context: None,
|
||||
) -> None:
|
||||
"""
|
||||
Test that the security manager can raise an exception for chart access,
|
||||
when the user does not have access to the chart datasource
|
||||
"""
|
||||
sm = SupersetSecurityManager(appbuilder)
|
||||
session = sm.get_session
|
||||
|
||||
engine = session.get_bind()
|
||||
Slice.metadata.create_all(engine) # pylint: disable=no-member
|
||||
|
||||
alpha = User(
|
||||
first_name="Alice",
|
||||
last_name="Doe",
|
||||
email="adoe@example.org",
|
||||
username="admin",
|
||||
roles=[Role(name="Alpha")],
|
||||
)
|
||||
|
||||
slice = Slice(
|
||||
id=1,
|
||||
datasource_id=1,
|
||||
datasource_type="table",
|
||||
datasource_name="tmp_perm_table",
|
||||
slice_name="slice_name",
|
||||
owners=[alpha],
|
||||
)
|
||||
session.add(slice)
|
||||
session.flush()
|
||||
|
||||
with override_user(alpha):
|
||||
sm.raise_for_access(
|
||||
chart=slice,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user