def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None: """ Raise an exception if the user cannot access the dashboard. This does not check for the required role/permission pairs, it only concerns itself with entity relationships. :param dashboard: Dashboard the user wants access to :raises DashboardAccessDeniedError: If the user cannot access the resource """ # pylint: disable=import-outside-toplevel from superset import is_feature_enabled from superset.dashboards.commands.exceptions import DashboardAccessDeniedError from superset.views.base import is_user_admin from superset.views.utils import is_owner def has_rbac_access() -> bool: return (not is_feature_enabled("DASHBOARD_RBAC")) or any( dashboard_role.id in [user_role.id for user_role in self.get_user_roles()] for dashboard_role in dashboard.roles) if self.is_guest_user(): can_access = self.has_guest_access( GuestTokenResourceType.DASHBOARD, dashboard.id) else: can_access = (is_user_admin() or is_owner(dashboard, g.user) or (dashboard.published and has_rbac_access()) or (not dashboard.published and not dashboard.roles)) if not can_access: raise DashboardAccessDeniedError()
def test_post_access_denied(mock_raise_for_dashboard_access, client, dashboard_id: int): login(client, "admin") mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError() resp = client.post(f"api/v1/dashboard/{dashboard_id}/permalink", json=STATE) assert resp.status_code == 403
def test_delete_access_denied(mock_raise_for_dashboard_access, client, dashboard_id: int): login(client, "admin") mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError() resp = client.delete( f"api/v1/dashboard/{dashboard_id}/filter_state/{key}/") assert resp.status_code == 403
def raise_for_dashboard_access(dashboard: "Dashboard") -> None: """ Raise an exception if the user cannot access the dashboard. :param dashboard: Dashboard the user wants access to :raises DashboardAccessDeniedError: If the user cannot access the resource """ # pylint: disable=import-outside-toplevel from superset import is_feature_enabled from superset.dashboards.commands.exceptions import DashboardAccessDeniedError from superset.views.base import get_user_roles, is_user_admin from superset.views.utils import is_owner has_rbac_access = True if is_feature_enabled("DASHBOARD_RBAC"): has_rbac_access = any( dashboard_role.id in [user_role.id for user_role in get_user_roles()] for dashboard_role in dashboard.roles ) can_access = ( is_user_admin() or is_owner(dashboard, g.user) or (dashboard.published and has_rbac_access) or (not dashboard.published and not dashboard.roles) ) if not can_access: raise DashboardAccessDeniedError()
def test_post_access_denied(mock_raise_for_dashboard_access, client, dashboard_id: int): login(client, "admin") mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError() payload = { "value": INITIAL_VALUE, } resp = client.post(f"api/v1/dashboard/{dashboard_id}/filter_state", json=payload) assert resp.status_code == 403
def test_put_access_denied(mock_raise_for_dashboard_access, test_client, login_as_admin, dashboard_id: int): mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError() resp = test_client.put( f"api/v1/dashboard/{dashboard_id}/filter_state/{KEY}", json={ "value": UPDATED_VALUE, }, ) assert resp.status_code == 403
def raise_for_dashboard_access(dashboard: Dashboard) -> None: from superset.views.base import get_user_roles, is_user_admin from superset.views.utils import is_owner if is_feature_enabled("DASHBOARD_RBAC"): has_rbac_access = any(dashboard_role.id in [user_role.id for user_role in get_user_roles()] for dashboard_role in dashboard.roles) can_access = (is_user_admin() or is_owner(dashboard, g.user) or (dashboard.published and has_rbac_access)) if not can_access: raise DashboardAccessDeniedError()
def test_delete_access_denied(mock_raise_for_dashboard_access, test_client, login_as_admin, dashboard_id: int): mock_raise_for_dashboard_access.side_effect = DashboardAccessDeniedError() resp = test_client.delete( f"api/v1/dashboard/{dashboard_id}/filter_state/{KEY}") assert resp.status_code == 403