QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-05-07 08:54:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Drill to Detail for Embedded (#39214)

Browse Source 
Co-authored-by: Maxime Beauchemin <maximebeauchemin@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Vitor Avila
2026-04-09 17:01:48 -03:00
committed by GitHub
parent 68067d7f44
commit c7955a38ef
6 changed files with 188 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
tests/integration_tests/security/guest_token_security_tests.py
View File

@@ -356,7 +356,100 @@ class TestGuestUserDatasourceAccess(SupersetTestCase):
}
)
def test_raise_for_access__no_chart_in_form_data(self):
def test_raise_for_access__drill_to_detail_happy_path(self):
"""
Drill to Detail: no slice_id in form_data, datasource is on the dashboard
the embedded user has access to.
"""
g.user = self.authorized_guest
for kwarg in ["viz", "query_context"]:
security_manager.raise_for_access(
**{
kwarg: Mock(
datasource=self.datasource,
form_data={
"dashboardId": self.dash.id,
},
slice_=None,
queries=[],
)
}
)
def test_raise_for_access__drill_to_detail_datasource_not_on_dashboard(self):
"""
Drill to Detail is denied when the target datasource is not associated
with the dashboard the embedded user has access to.
"""
g.user = self.authorized_guest
for kwarg in ["viz", "query_context"]:
with self.assertRaises(SupersetSecurityException): # noqa: PT027
security_manager.raise_for_access(
**{
kwarg: Mock(
datasource=self.other_datasource,
form_data={
"dashboardId": self.dash.id,
},
slice_=None,
queries=[],
)
}
)
def test_raise_for_access__drill_by_happy_path(self):
"""
Drill By: slice_id=0 (sentinel), chart_id points to a chart on the dashboard
whose datasource matches, the requested groupby column is drillable and the
embedded user has access to.
"""
g.user = self.authorized_guest
for kwarg in ["viz", "query_context"]:
security_manager.raise_for_access(
**{
kwarg: Mock(
datasource=self.datasource,
form_data={
"dashboardId": self.dash.id,
"slice_id": 0,
"chart_id": self.chart.id,
"groupby": ["gender"],
},
slice_=None,
queries=[],
)
}
)
def test_raise_for_access__drill_by_chart_not_on_dashboard(self):
"""
Drill By is denied when chart_id refers to a chart that is not on the
dashboard the embedded user has access to.
"""
g.user = self.authorized_guest
for kwarg in ["viz", "query_context"]:
with self.assertRaises(SupersetSecurityException): # noqa: PT027
security_manager.raise_for_access(
**{
kwarg: Mock(
datasource=self.other_datasource,
form_data={
"dashboardId": self.dash.id,
"slice_id": 0,
"chart_id": self.other_chart.id,
"groupby": ["gender"],
},
slice_=None,
queries=[],
)
}
)
def test_raise_for_access__drill_by_columns_not_drillable(self):
"""
Drill By is denied when the requested groupby columns are not marked as
drillable (groupby=True) on the datasource.
"""
g.user = self.authorized_guest
for kwarg in ["viz", "query_context"]:
with self.assertRaises(SupersetSecurityException): # noqa: PT027
@@ -366,7 +459,12 @@ class TestGuestUserDatasourceAccess(SupersetTestCase):
datasource=self.datasource,
form_data={
"dashboardId": self.dash.id,
"slice_id": 0,
"chart_id": self.chart.id,
"groupby": ["__not_a_drillable_column__"],
},
slice_=None,
queries=[],
)
}
)