QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-25 02:55:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1e2d0faa55dfca1b4e81bded56fadcf2a937471a
superset2/superset-frontend/playwright/tests/experimental/dashboard/theme.spec.ts
Joe Li 03de7e1ec6 fix(dashboard): use inline theme data to prevent 403 for non-admin users (#38384) 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-18 16:17:03 -07:00

153 lines
5.4 KiB
TypeScript
Raw Blame History

/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
import { test, expect } from '@playwright/test';
import { AuthPage } from '../../../pages/AuthPage';
import { DashboardPage } from '../../../pages/DashboardPage';
import { apiPostTheme, apiDeleteTheme } from '../../../helpers/api/theme';
import {
apiPostDashboard,
apiPutDashboard,
apiDeleteDashboard,
} from '../../../helpers/api/dashboard';
import { apiGet } from '../../../helpers/api/requests';
import { TIMEOUT } from '../../../utils/constants';
/**
* Dashboard Theme E2E tests.
*
* Prerequisites:
* - Superset running with example data loaded
* - Admin user authenticated (via global-setup)
* - Non-admin test user created by `superset load-test-users`
*
* Credentials are configurable via environment variables:
* - PLAYWRIGHT_NONADMIN_USERNAME (default: 'gamma')
* - PLAYWRIGHT_NONADMIN_PASSWORD (default: 'general')
*/
const NONADMIN_USERNAME = process.env.PLAYWRIGHT_NONADMIN_USERNAME || 'gamma';
const NONADMIN_PASSWORD = process.env.PLAYWRIGHT_NONADMIN_PASSWORD || 'general';
// Clear storageState so the default page fixture starts unauthenticated.
// Admin API calls use an explicit admin context with saved auth instead.
test.use({ storageState: { cookies: [], origins: [] } });
test('non-admin user can view a themed dashboard without 403 or infinite spinner', async ({
page,
browser,
}) => {
test.setTimeout(60_000);
// --- ADMIN SETUP (explicit admin context with saved auth) ---
const adminContext = await browser.newContext({
baseURL: test.info().project.use.baseURL,
storageState: 'playwright/.auth/user.json',
});
const adminPage = await adminContext.newPage();
let themeId: number | undefined;
let dashboardId: number | undefined;
try {
// 1. Create a theme
const themeRes = await apiPostTheme(adminPage, {
theme_name: `e2e_theme_test_${Date.now()}`,
json_data: '{}',
});
expect(themeRes.ok()).toBe(true);
const themeBody = await themeRes.json();
themeId = themeBody.id;
expect(themeId).toBeTruthy();
// 2. Create a published dashboard with the theme assigned
const dashRes = await apiPostDashboard(adminPage, {
dashboard_title: `E2E Theme Test ${Date.now()}`,
published: true,
theme_id: themeId,
});
expect(dashRes.ok()).toBe(true);
const dashBody = await dashRes.json();
dashboardId = dashBody.id;
expect(dashboardId).toBeTruthy();
// 3. Grant non-admin user access by adding them as a dashboard owner
const usersRes = await apiGet(
adminPage,
`api/v1/dashboard/related/owners?q=(filter:'${NONADMIN_USERNAME}')`,
);
expect(usersRes.ok()).toBe(true);
const usersBody = await usersRes.json();
const gammaUserId = usersBody.result?.[0]?.value;
expect(gammaUserId).toBeTruthy();
const putRes = await apiPutDashboard(adminPage, dashboardId!, {
owners: [gammaUserId],
});
expect(putRes.ok()).toBe(true);
// --- NON-ADMIN USER PHASE (page has no cached auth via test.use) ---
// 4. Instrument network: track any /api/v1/theme/ requests and 403 responses
const themeApiRequests: string[] = [];
const forbiddenResponses: string[] = [];
page.on('response', response => {
const url = response.url();
if (url.includes('/api/v1/theme/')) {
themeApiRequests.push(url);
}
if (response.status() === 403 && url.includes('/api/v1/theme/')) {
forbiddenResponses.push(url);
}
});
// 5. Login as non-admin user
const authPage = new AuthPage(page);
await authPage.goto();
await authPage.waitForLoginForm();
await authPage.loginWithCredentials(NONADMIN_USERNAME, NONADMIN_PASSWORD);
await authPage.waitForLoginSuccess();
// 6. Navigate to the themed dashboard
const dashboardPage = new DashboardPage(page);
await dashboardPage.gotoById(dashboardId!);
// 7. Assert dashboard fully loads (not stuck on infinite spinner)
await dashboardPage.waitForLoad({ timeout: TIMEOUT.PAGE_LOAD });
await dashboardPage.waitForChartsToLoad();
// 8. Assert no /api/v1/theme/ requests were made (theme data comes from dashboard response)
expect(themeApiRequests).toHaveLength(0);
// Assert no 403 responses on /api/v1/theme/ (scoped to avoid login/unrelated 403 noise)
expect(forbiddenResponses).toHaveLength(0);
} finally {
// Cleanup: delete test resources using admin context
if (dashboardId) {
await apiDeleteDashboard(adminPage, dashboardId, {
failOnStatusCode: false,
}).catch(() => {});
}
if (themeId) {
await apiDeleteTheme(adminPage, themeId, {
failOnStatusCode: false,
}).catch(() => {});
}
await adminContext.close();
}
});
Reference in New Issue View Git Blame Copy Permalink