def raise_for_dashboard_access(dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
from superset.views.base import get_user_roles, is_user_admin
from superset.views.utils import is_owner
has_rbac_access = True
if is_feature_enabled("DASHBOARD_RBAC"):
has_rbac_access = any(
dashboard_role.id in [user_role.id for user_role in get_user_roles()]
for dashboard_role in dashboard.roles
)
can_access = (
is_user_admin()
or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access)
or (not dashboard.published and not dashboard.roles)
)
if not can_access:
raise DashboardAccessDeniedError()
def apply(self, query: Query, value: Any) -> Query:
user_roles = [role.name.lower() for role in list(get_user_roles())]
if "admin" in user_roles:
return query
datasource_perms = security_manager.user_view_menu_names("datasource_access")
schema_perms = security_manager.user_view_menu_names("schema_access")
published_dash_query = (
db.session.query(Dashboard.id)
.join(Dashboard.slices)
.filter(
and_(
Dashboard.published == True, # pylint: disable=singleton-comparison
or_(
Slice.perm.in_(datasource_perms),
Slice.schema_perm.in_(schema_perms),
security_manager.can_access_all_datasources(),
),
)
)
)
users_favorite_dash_query = db.session.query(FavStar.obj_id).filter(
and_(
FavStar.user_id == security_manager.user_model.get_user_id(),
FavStar.class_name == "Dashboard",
)
)
owner_ids_query = (
db.session.query(Dashboard.id)
.join(Dashboard.owners)
.filter(
security_manager.user_model.id
== security_manager.user_model.get_user_id()
)
)
if "custom" in user_roles:
query = query.filter(
and_(
Dashboard.id.in_(owner_ids_query),
)
)
return query
query = query.filter(
or_(
Dashboard.id.in_(owner_ids_query),
Dashboard.id.in_(published_dash_query),
Dashboard.id.in_(users_favorite_dash_query),
)
)
return query
def apply(self, query: Query, value: Any) -> Query:
if is_user_admin():
return query
datasource_perms = security_manager.user_view_menu_names(
"datasource_access")
schema_perms = security_manager.user_view_menu_names("schema_access")
is_rbac_disabled_filter = []
dashboard_has_roles = Dashboard.roles.any()
if is_feature_enabled("DASHBOARD_RBAC"):
is_rbac_disabled_filter.append(~dashboard_has_roles)
datasource_perm_query = (db.session.query(Dashboard.id).join(
Dashboard.slices).filter(
and_(
Dashboard.published.is_(True),
*is_rbac_disabled_filter,
or_(
Slice.perm.in_(datasource_perms),
Slice.schema_perm.in_(schema_perms),
security_manager.can_access_all_datasources(),
),
)))
users_favorite_dash_query = db.session.query(FavStar.obj_id).filter(
and_(
FavStar.user_id == security_manager.user_model.get_user_id(),
FavStar.class_name == "Dashboard",
))
owner_ids_query = (db.session.query(Dashboard.id).join(
Dashboard.owners).filter(
security_manager.user_model.id ==
security_manager.user_model.get_user_id()))
dashboard_rbac_or_filters = []
if is_feature_enabled("DASHBOARD_RBAC"):
roles_based_query = (db.session.query(Dashboard.id).join(
Dashboard.roles).filter(
and_(
Dashboard.published.is_(True),
dashboard_has_roles,
Role.id.in_([x.id for x in get_user_roles()]),
), ))
dashboard_rbac_or_filters.append(
Dashboard.id.in_(roles_based_query))
query = query.filter(
or_(
Dashboard.id.in_(owner_ids_query),
Dashboard.id.in_(datasource_perm_query),
Dashboard.id.in_(users_favorite_dash_query),
*dashboard_rbac_or_filters,
))
return query
def raise_for_dashboard_access(dashboard: Dashboard) -> None:
from superset.views.base import get_user_roles, is_user_admin
from superset.views.utils import is_owner
if is_feature_enabled("DASHBOARD_RBAC"):
has_rbac_access = any(dashboard_role.id in
[user_role.id for user_role in get_user_roles()]
for dashboard_role in dashboard.roles)
can_access = (is_user_admin() or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access))
if not can_access:
raise DashboardAccessDeniedError()
