QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-05-12 19:35:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: disallow users from viewing other user's profile on config (#21302)

Browse Source
This commit is contained in:
Daniel Vaz Gaspar
2022-09-05 13:32:48 +01:00
committed by AAfghahi
parent 143c5f1ecc
commit dd919bc176
6 changed files with 44 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tests/integration_tests/core_tests.py
View File

@@ -851,6 +851,18 @@ class TestCore(SupersetTestCase):
data = self.get_json_resp(endpoint)
self.assertNotIn("message", data)
def test_user_profile_optional_access(self):
self.login(username="gamma")
resp = self.client.get(f"/superset/profile/admin/")
self.assertEqual(resp.status_code, 200)
app.config["ENABLE_BROAD_ACTIVITY_ACCESS"] = False
resp = self.client.get(f"/superset/profile/admin/")
self.assertEqual(resp.status_code, 403)
# Restore config
app.config["ENABLE_BROAD_ACTIVITY_ACCESS"] = True
@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
def test_user_activity_access(self, username="gamma"):
self.login(username=username)