QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-19 08:04:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Dashboard aware RBAC "Save as" menu item (#24806)

Browse Source
This commit is contained in:
John Bodley
2023-08-09 13:37:52 -07:00
committed by GitHub
parent 34586648a5
commit f6c3f0cbbb
9 changed files with 197 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
tests/integration_tests/dashboards/security/security_rbac_tests.py
View File

@@ -15,11 +15,16 @@
# specific language governing permissions and limitations
# under the License.
"""Unit tests for Superset"""
import json
from unittest import mock
from unittest.mock import patch
import pytest
from superset.utils.core import backend
from superset.daos.dashboard import DashboardDAO
from superset.dashboards.commands.exceptions import DashboardForbiddenError
from superset.utils.core import backend, override_user
from tests.integration_tests.conftest import with_feature_flags
from tests.integration_tests.dashboards.dashboard_test_utils import *
from tests.integration_tests.dashboards.security.base_case import (
BaseTestDashboardSecurity,
@@ -36,6 +41,10 @@ from tests.integration_tests.fixtures.birth_names_dashboard import (
)
from tests.integration_tests.fixtures.public_role import public_role_like_gamma
from tests.integration_tests.fixtures.query_context import get_query_context
from tests.integration_tests.fixtures.world_bank_dashboard import (
load_world_bank_dashboard_with_slices,
load_world_bank_data,
)
CHART_DATA_URI = "api/v1/chart/data"
@@ -431,3 +440,82 @@ class TestDashboardRoleBasedSecurity(BaseTestDashboardSecurity):
# rollback changes
db.session.delete(dashboard)
db.session.commit()
@with_feature_flags(DASHBOARD_RBAC=True)
@pytest.mark.usefixtures("load_world_bank_dashboard_with_slices")
def test_copy_dashboard_via_api(self):
source = db.session.query(Dashboard).filter_by(slug="world_health").first()
source.roles = [self.get_role("Gamma")]
if not (published := source.published):
source.published = True # Required per the DashboardAccessFilter for RBAC.
db.session.commit()
uri = f"api/v1/dashboard/{source.id}/copy/"
data = {
"dashboard_title": "copied dash",
"css": "<css>",
"duplicate_slices": False,
"json_metadata": json.dumps(
{
"positions": source.position,
"color_namespace": "Color Namespace Test",
"color_scheme": "Color Scheme Test",
}
),
}
self.login(username="gamma")
rv = self.client.post(uri, json=data)
self.assertEqual(rv.status_code, 403)
self.logout()
self.login(username="admin")
rv = self.client.post(uri, json=data)
self.assertEqual(rv.status_code, 200)
self.logout()
response = json.loads(rv.data.decode("utf-8"))
target = (
db.session.query(Dashboard)
.filter(Dashboard.id == response["result"]["id"])
.one()
)
db.session.delete(target)
source.roles = []
if not published:
source.published = False
db.session.commit()
@with_feature_flags(DASHBOARD_RBAC=True)
@pytest.mark.usefixtures("load_world_bank_dashboard_with_slices")
def test_copy_dashboard_via_dao(self):
source = db.session.query(Dashboard).filter_by(slug="world_health").first()
data = {
"dashboard_title": "copied dash",
"css": "<css>",
"duplicate_slices": False,
"json_metadata": json.dumps(
{
"positions": source.position,
"color_namespace": "Color Namespace Test",
"color_scheme": "Color Scheme Test",
}
),
}
with override_user(security_manager.find_user("gamma")):
with pytest.raises(DashboardForbiddenError):
DashboardDAO.copy_dashboard(source, data)
with override_user(security_manager.find_user("admin")):
target = DashboardDAO.copy_dashboard(source, data)
db.session.delete(target)
db.session.commit()