mirror of
https://github.com/apache/superset.git
synced 2026-07-12 01:35:36 +00:00
96 lines
3.9 KiB
Python
96 lines
3.9 KiB
Python
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
import logging
|
|
from typing import Any, Optional
|
|
|
|
from marshmallow import ValidationError
|
|
|
|
from superset.commands.base import BaseCommand
|
|
from superset.commands.exceptions import DatasourceNotFoundValidationError
|
|
from superset.commands.security.exceptions import RLSRuleNotFoundError
|
|
from superset.commands.security.utils import raise_for_datasource_access
|
|
from superset.commands.utils import populate_subject_list
|
|
from superset.connectors.sqla.models import RowLevelSecurityFilter, SqlaTable
|
|
from superset.daos.security import RLSDAO
|
|
from superset.extensions import db
|
|
from superset.utils.core import RowLevelSecurityFilterType
|
|
from superset.utils.decorators import transaction
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class UpdateRLSRuleCommand(BaseCommand):
|
|
def __init__(self, model_id: int, data: dict[str, Any]):
|
|
self._model_id = model_id
|
|
self._properties = data.copy()
|
|
self._tables = self._properties.get("tables", [])
|
|
self._subjects = self._properties.get("subjects", [])
|
|
self._model: Optional[RowLevelSecurityFilter] = None
|
|
|
|
@transaction()
|
|
def run(self) -> Any:
|
|
self.validate()
|
|
assert self._model
|
|
return RLSDAO.update(self._model, self._properties)
|
|
|
|
def validate(self) -> None:
|
|
self._model = RLSDAO.find_by_id(int(self._model_id))
|
|
if not self._model:
|
|
raise RLSRuleNotFoundError()
|
|
|
|
# Only resolve and overwrite the relationships that are actually present
|
|
# in the request body. A partial update (e.g. changing only the name)
|
|
# must leave the rule's existing tables/subjects bindings untouched
|
|
# rather than replacing them with empty lists.
|
|
if "subjects" in self._properties:
|
|
subjects = populate_subject_list(
|
|
self._subjects,
|
|
default_to_user=False,
|
|
)
|
|
self._properties["subjects"] = subjects
|
|
else:
|
|
subjects = list(self._model.subjects)
|
|
|
|
filter_type = self._properties.get("filter_type", self._model.filter_type)
|
|
filter_type_value = getattr(filter_type, "value", filter_type)
|
|
if (
|
|
filter_type_value == RowLevelSecurityFilterType.REGULAR.value
|
|
and not subjects
|
|
):
|
|
raise ValidationError(
|
|
{"subjects": ["Regular RLS filters require at least one subject."]}
|
|
)
|
|
|
|
if "tables" in self._properties:
|
|
tables = (
|
|
db.session.query(SqlaTable)
|
|
.filter(SqlaTable.id.in_(self._tables)) # type: ignore[attr-defined]
|
|
.all()
|
|
)
|
|
if len(tables) != len(self._tables):
|
|
raise DatasourceNotFoundValidationError()
|
|
raise_for_datasource_access(tables)
|
|
self._properties["tables"] = tables
|
|
else:
|
|
# A partial update that omits ``tables`` still mutates the rule, so
|
|
# enforce datasource access against the rule's existing tables to
|
|
# avoid letting a caller edit a rule bound to datasources they
|
|
# cannot access.
|
|
raise_for_datasource_access(self._model.tables)
|