def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
This does not check for the required role/permission pairs,
it only concerns itself with entity relationships.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
from superset.views.base import is_user_admin
from superset.views.utils import is_owner
def has_rbac_access() -> bool:
return (not is_feature_enabled("DASHBOARD_RBAC")) or any(
dashboard_role.id in
[user_role.id for user_role in self.get_user_roles()]
for dashboard_role in dashboard.roles)
if self.is_guest_user():
can_access = self.has_guest_access(
GuestTokenResourceType.DASHBOARD, dashboard.id)
else:
can_access = (is_user_admin() or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access())
or (not dashboard.published and not dashboard.roles))
if not can_access:
raise DashboardAccessDeniedError()
def raise_for_dashboard_access(dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
from superset.views.base import get_user_roles, is_user_admin
from superset.views.utils import is_owner
has_rbac_access = True
if is_feature_enabled("DASHBOARD_RBAC"):
has_rbac_access = any(
dashboard_role.id in [user_role.id for user_role in get_user_roles()]
for dashboard_role in dashboard.roles
)
can_access = (
is_user_admin()
or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access)
or (not dashboard.published and not dashboard.roles)
)
if not can_access:
raise DashboardAccessDeniedError()
def apply(self, query: Query, value: Any) -> Query:
if is_user_admin():
return query
datasource_perms = security_manager.user_view_menu_names(
"datasource_access")
schema_perms = security_manager.user_view_menu_names("schema_access")
is_rbac_disabled_filter = []
dashboard_has_roles = Dashboard.roles.any()
if is_feature_enabled("DASHBOARD_RBAC"):
is_rbac_disabled_filter.append(~dashboard_has_roles)
datasource_perm_query = (db.session.query(Dashboard.id).join(
Dashboard.slices).filter(
and_(
Dashboard.published.is_(True),
*is_rbac_disabled_filter,
or_(
Slice.perm.in_(datasource_perms),
Slice.schema_perm.in_(schema_perms),
security_manager.can_access_all_datasources(),
),
)))
users_favorite_dash_query = db.session.query(FavStar.obj_id).filter(
and_(
FavStar.user_id == security_manager.user_model.get_user_id(),
FavStar.class_name == "Dashboard",
))
owner_ids_query = (db.session.query(Dashboard.id).join(
Dashboard.owners).filter(
security_manager.user_model.id ==
security_manager.user_model.get_user_id()))
dashboard_rbac_or_filters = []
if is_feature_enabled("DASHBOARD_RBAC"):
roles_based_query = (db.session.query(Dashboard.id).join(
Dashboard.roles).filter(
and_(
Dashboard.published.is_(True),
dashboard_has_roles,
Role.id.in_([x.id for x in get_user_roles()]),
), ))
dashboard_rbac_or_filters.append(
Dashboard.id.in_(roles_based_query))
query = query.filter(
or_(
Dashboard.id.in_(owner_ids_query),
Dashboard.id.in_(datasource_perm_query),
Dashboard.id.in_(users_favorite_dash_query),
*dashboard_rbac_or_filters,
))
return query
def raise_for_dashboard_access(dashboard: Dashboard) -> None:
from superset.views.base import get_user_roles, is_user_admin
from superset.views.utils import is_owner
if is_feature_enabled("DASHBOARD_RBAC"):
has_rbac_access = any(dashboard_role.id in
[user_role.id for user_role in get_user_roles()]
for dashboard_role in dashboard.roles)
can_access = (is_user_admin() or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access))
if not can_access:
raise DashboardAccessDeniedError()
def check_access(dataset_id: int, chart_id: Optional[int],
actor: User) -> None:
check_dataset_access(dataset_id)
if not chart_id:
return
chart = ChartDAO.find_by_id(chart_id)
if chart:
can_access_chart = (is_user_admin() or is_owner(chart, actor)
or security_manager.can_access(
"can_read", "Chart"))
if can_access_chart:
return
raise ChartAccessDeniedError()
raise ChartNotFoundError()
def apply(self, query: Query, value: Any) -> Query:
if is_user_admin():
return query
current_user_id = g.user.id
filter_set_ids_by_dashboard_owners = ( # pylint: disable=C0103
query.from_self(FilterSet.id).join(
dashboard_user,
FilterSet.owner_id == dashboard_user.c.dashboard_id).filter(
and_(
FilterSet.owner_type == DASHBOARD_OWNER_TYPE,
dashboard_user.c.user_id == current_user_id,
)))
return query.filter(
or_(
and_(
FilterSet.owner_type == USER_OWNER_TYPE,
FilterSet.owner_id == current_user_id,
),
FilterSet.id.in_(filter_set_ids_by_dashboard_owners),
))
def apply(self, query: Query, value: Any) -> Query:
if is_user_admin():
return query
datasource_perms = security_manager.user_view_menu_names(
"datasource_access")
schema_perms = security_manager.user_view_menu_names("schema_access")
published_dash_query = (
db.session.query(Dashboard.id).join(Dashboard.slices).filter(
and_(
Dashboard.published == True, # pylint: disable=singleton-comparison
or_(
Slice.perm.in_(datasource_perms),
Slice.schema_perm.in_(schema_perms),
security_manager.can_access_all_datasources(),
),
)))
users_favorite_dash_query = db.session.query(FavStar.obj_id).filter(
and_(
FavStar.user_id == security_manager.user_model.get_user_id(),
FavStar.class_name == "Dashboard",
))
owner_ids_query = (db.session.query(Dashboard.id).join(
Dashboard.owners).filter(
security_manager.user_model.id ==
security_manager.user_model.get_user_id()))
query = query.filter(
or_(
Dashboard.id.in_(owner_ids_query),
Dashboard.id.in_(published_dash_query),
Dashboard.id.in_(users_favorite_dash_query),
))
return query
def apply(self, query: Query, value: Any) -> Query:
if is_user_admin():
return query
datasource_perms = security_manager.user_view_menu_names(
"datasource_access")
schema_perms = security_manager.user_view_menu_names("schema_access")
is_rbac_disabled_filter = []
dashboard_has_roles = Dashboard.roles.any()
if is_feature_enabled("DASHBOARD_RBAC"):
is_rbac_disabled_filter.append(~dashboard_has_roles)
datasource_perm_query = (db.session.query(Dashboard.id).join(
Dashboard.slices).filter(
and_(
Dashboard.published.is_(True),
*is_rbac_disabled_filter,
or_(
Slice.perm.in_(datasource_perms),
Slice.schema_perm.in_(schema_perms),
security_manager.can_access_all_datasources(),
),
)))
users_favorite_dash_query = db.session.query(FavStar.obj_id).filter(
and_(
FavStar.user_id == security_manager.user_model.get_user_id(),
FavStar.class_name == "Dashboard",
))
owner_ids_query = (db.session.query(Dashboard.id).join(
Dashboard.owners).filter(
security_manager.user_model.id ==
security_manager.user_model.get_user_id()))
feature_flagged_filters = []
if is_feature_enabled("DASHBOARD_RBAC"):
roles_based_query = (db.session.query(Dashboard.id).join(
Dashboard.roles).filter(
and_(
Dashboard.published.is_(True),
dashboard_has_roles,
Role.id.in_(
[x.id for x in security_manager.get_user_roles()]),
), ))
feature_flagged_filters.append(Dashboard.id.in_(roles_based_query))
if is_feature_enabled("EMBEDDED_SUPERSET"
) and security_manager.is_guest_user(g.user):
guest_user: GuestUser = g.user
embedded_dashboard_ids = [
r["id"] for r in guest_user.resources
if r["type"] == GuestTokenResourceType.DASHBOARD.value
]
# TODO (embedded): only use uuid filter once uuids are rolled out
condition = (Dashboard.embedded.any(
EmbeddedDashboard.uuid.in_(embedded_dashboard_ids)) if any(
is_uuid(id_) for id_ in embedded_dashboard_ids) else
Dashboard.id.in_(embedded_dashboard_ids))
feature_flagged_filters.append(condition)
query = query.filter(
or_(
Dashboard.id.in_(owner_ids_query),
Dashboard.id.in_(datasource_perm_query),
Dashboard.id.in_(users_favorite_dash_query),
*feature_flagged_filters,
))
return query
