fix: permission checks on import (#23200)

2026-05-12 19:35:17 +00:00 · 2023-03-15 08:31:09 -07:00
parent 831978f0f7
commit cfc2ca672e
17 changed files with 621 additions and 99 deletions
--- a/tests/unit_tests/dashboards/commands/importers/v1/import_test.py
+++ b/tests/unit_tests/dashboards/commands/importers/v1/import_test.py
@@ -18,19 +18,26 @@

 import copy

+import pytest
+from pytest_mock import MockFixture
 from sqlalchemy.orm.session import Session

+from superset.commands.exceptions import ImportFailedError

-def test_import_dashboard(session: Session) -> None:
+
+def test_import_dashboard(mocker: MockFixture, session: Session) -> None:
    """
    Test importing a dashboard.
    """
+    from superset import security_manager
    from superset.connectors.sqla.models import SqlaTable
    from superset.dashboards.commands.importers.v1.utils import import_dashboard
    from superset.models.core import Database
    from superset.models.slice import Slice
    from tests.integration_tests.fixtures.importexport import dashboard_config

+    mocker.patch.object(security_manager, "can_access", return_value=True)
+
    engine = session.get_bind()
    Slice.metadata.create_all(engine)  # pylint: disable=no-member

@@ -43,16 +50,22 @@ def test_import_dashboard(session: Session) -> None:
    assert dashboard.external_url is None


-def test_import_dashboard_managed_externally(session: Session) -> None:
+def test_import_dashboard_managed_externally(
+    mocker: MockFixture,
+    session: Session,
+) -> None:
    """
    Test importing a dashboard that is managed externally.
    """
+    from superset import security_manager
    from superset.connectors.sqla.models import SqlaTable
    from superset.dashboards.commands.importers.v1.utils import import_dashboard
    from superset.models.core import Database
    from superset.models.slice import Slice
    from tests.integration_tests.fixtures.importexport import dashboard_config

+    mocker.patch.object(security_manager, "can_access", return_value=True)
+
    engine = session.get_bind()
    Slice.metadata.create_all(engine)  # pylint: disable=no-member

@@ -63,3 +76,32 @@ def test_import_dashboard_managed_externally(session: Session) -> None:
    dashboard = import_dashboard(session, config)
    assert dashboard.is_managed_externally is True
    assert dashboard.external_url == "https://example.org/my_dashboard"
+
+
+def test_import_dashboard_without_permission(
+    mocker: MockFixture,
+    session: Session,
+) -> None:
+    """
+    Test importing a dashboard when a user doesn't have permissions to create.
+    """
+    from superset import security_manager
+    from superset.connectors.sqla.models import SqlaTable
+    from superset.dashboards.commands.importers.v1.utils import import_dashboard
+    from superset.models.core import Database
+    from superset.models.slice import Slice
+    from tests.integration_tests.fixtures.importexport import dashboard_config
+
+    mocker.patch.object(security_manager, "can_access", return_value=False)
+
+    engine = session.get_bind()
+    Slice.metadata.create_all(engine)  # pylint: disable=no-member
+
+    config = copy.deepcopy(dashboard_config)
+
+    with pytest.raises(ImportFailedError) as excinfo:
+        import_dashboard(session, config)
+    assert (
+        str(excinfo.value)
+        == "Dashboard doesn't exist and user doesn't have permission to create dashboards"
+    )