def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
This does not check for the required role/permission pairs,
it only concerns itself with entity relationships.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
from superset.views.base import is_user_admin
from superset.views.utils import is_owner
def has_rbac_access() -> bool:
return (not is_feature_enabled("DASHBOARD_RBAC")) or any(
dashboard_role.id in
[user_role.id for user_role in self.get_user_roles()]
for dashboard_role in dashboard.roles)
if self.is_guest_user():
can_access = self.has_guest_access(
GuestTokenResourceType.DASHBOARD, dashboard.id)
else:
can_access = (is_user_admin() or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access())
or (not dashboard.published and not dashboard.roles))
if not can_access:
raise DashboardAccessDeniedError()
def test_post_access_denied(mock_raise_for_dashboard_access, client,
dashboard_id: int):
login(client, "admin")
mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError()
resp = client.post(f"api/v1/dashboard/{dashboard_id}/permalink",
json=STATE)
assert resp.status_code == 403
def test_delete_access_denied(mock_raise_for_dashboard_access, client,
dashboard_id: int):
login(client, "admin")
mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError()
resp = client.delete(
f"api/v1/dashboard/{dashboard_id}/filter_state/{key}/")
assert resp.status_code == 403
def raise_for_dashboard_access(dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
from superset.views.base import get_user_roles, is_user_admin
from superset.views.utils import is_owner
has_rbac_access = True
if is_feature_enabled("DASHBOARD_RBAC"):
has_rbac_access = any(
dashboard_role.id in [user_role.id for user_role in get_user_roles()]
for dashboard_role in dashboard.roles
)
can_access = (
is_user_admin()
or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access)
or (not dashboard.published and not dashboard.roles)
)
if not can_access:
raise DashboardAccessDeniedError()
def test_post_access_denied(mock_raise_for_dashboard_access, client, dashboard_id: int):
login(client, "admin")
mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError()
payload = {
"value": INITIAL_VALUE,
}
resp = client.post(f"api/v1/dashboard/{dashboard_id}/filter_state", json=payload)
assert resp.status_code == 403
def test_put_access_denied(mock_raise_for_dashboard_access, test_client,
login_as_admin, dashboard_id: int):
mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError()
resp = test_client.put(
f"api/v1/dashboard/{dashboard_id}/filter_state/{KEY}",
json={
"value": UPDATED_VALUE,
},
)
assert resp.status_code == 403
def raise_for_dashboard_access(dashboard: Dashboard) -> None:
from superset.views.base import get_user_roles, is_user_admin
from superset.views.utils import is_owner
if is_feature_enabled("DASHBOARD_RBAC"):
has_rbac_access = any(dashboard_role.id in
[user_role.id for user_role in get_user_roles()]
for dashboard_role in dashboard.roles)
can_access = (is_user_admin() or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access))
if not can_access:
raise DashboardAccessDeniedError()
def test_delete_access_denied(mock_raise_for_dashboard_access, test_client,
login_as_admin, dashboard_id: int):
mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError()
resp = test_client.delete(
f"api/v1/dashboard/{dashboard_id}/filter_state/{KEY}")
assert resp.status_code == 403
