예제 #1
0
    def test_sql_json_has_access(self):
        main_db = self.get_main_database(db.session)
        sm.add_permission_view_menu('database_access', main_db.perm)
        db.session.commit()
        main_db_permission_view = (
            db.session.query(ab_models.PermissionView)
            .join(ab_models.ViewMenu)
            .filter(ab_models.ViewMenu.name == '[main].(id:1)')
            .first()
        )
        astronaut = sm.add_role("Astronaut")
        sm.add_permission_role(astronaut, main_db_permission_view)
        # Astronaut role is Gamma + sqllab +  main db permissions
        for perm in sm.find_role('Gamma').permissions:
            sm.add_permission_role(astronaut, perm)
        for perm in sm.find_role('sql_lab').permissions:
            sm.add_permission_role(astronaut, perm)

        gagarin = appbuilder.sm.find_user('gagarin')
        if not gagarin:
            appbuilder.sm.add_user(
                'gagarin', 'Iurii', 'Gagarin', '*****@*****.**',
                astronaut,
                password='******')
        data = self.run_sql('SELECT * FROM ab_user', "3", user_name='gagarin')
        db.session.query(models.Query).delete()
        db.session.commit()
        self.assertLess(0, len(data['data']))
예제 #2
0
    def test_sql_json_has_access(self):
        main_db = self.get_main_database(db.session)
        sm.add_permission_view_menu('database_access', main_db.perm)
        db.session.commit()
        main_db_permission_view = (db.session.query(
            ab_models.PermissionView).join(ab_models.ViewMenu).join(
                ab_models.Permission
            ).filter(ab_models.ViewMenu.name == '[main].(id:1)').filter(
                ab_models.Permission.name == 'database_access').first())
        astronaut = sm.add_role('Astronaut')
        sm.add_permission_role(astronaut, main_db_permission_view)
        # Astronaut role is Gamma + sqllab +  main db permissions
        for perm in sm.find_role('Gamma').permissions:
            sm.add_permission_role(astronaut, perm)
        for perm in sm.find_role('sql_lab').permissions:
            sm.add_permission_role(astronaut, perm)

        gagarin = appbuilder.sm.find_user('gagarin')
        if not gagarin:
            appbuilder.sm.add_user('gagarin',
                                   'Iurii',
                                   'Gagarin',
                                   '*****@*****.**',
                                   astronaut,
                                   password='******')
        data = self.run_sql('SELECT * FROM ab_user', '3', user_name='gagarin')
        db.session.query(Query).delete()
        db.session.commit()
        self.assertLess(0, len(data['data']))
예제 #3
0
    def test_filter_druid_datasource(self):
        CLUSTER_NAME = 'new_druid'
        cluster = self.get_or_create(
            DruidCluster,
            {'cluster_name': CLUSTER_NAME},
            db.session)
        db.session.merge(cluster)

        gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_for_gamma'},
            db.session)
        gamma_ds.cluster = cluster
        db.session.merge(gamma_ds)

        no_gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'},
            db.session)
        no_gamma_ds.cluster = cluster
        db.session.merge(no_gamma_ds)

        sm.add_permission_view_menu('datasource_access', gamma_ds.perm)
        sm.add_permission_view_menu('datasource_access', no_gamma_ds.perm)

        db.session.commit()

        perm = sm.find_permission_view_menu('datasource_access', gamma_ds.perm)
        sm.add_permission_role(sm.find_role('Gamma'), perm)
        db.session.commit()

        self.login(username='******')
        url = '/druiddatasourcemodelview/list/'
        resp = self.get_resp(url)
        assert 'datasource_for_gamma' in resp
        assert 'datasource_not_for_gamma' not in resp
예제 #4
0
def merge_perm(sm, permission_name, view_menu_name):
    # Implementation copied from sm.find_permission_view_menu.
    # TODO: use sm.find_permission_view_menu once issue
    #       https://github.com/airbnb/superset/issues/1944 is resolved.
    permission = sm.find_permission(permission_name)
    view_menu = sm.find_view_menu(view_menu_name)
    pv = None
    if permission and view_menu:
        pv = sm.get_session.query(sm.permissionview_model).filter_by(
            permission=permission, view_menu=view_menu).first()
    if not pv and permission_name and view_menu_name:
        sm.add_permission_view_menu(permission_name, view_menu_name)
예제 #5
0
def merge_perm(sm, permission_name, view_menu_name):
    # Implementation copied from sm.find_permission_view_menu.
    # TODO: use sm.find_permission_view_menu once issue
    #       https://github.com/airbnb/superset/issues/1944 is resolved.
    permission = sm.find_permission(permission_name)
    view_menu = sm.find_view_menu(view_menu_name)
    pv = None
    if permission and view_menu:
        pv = sm.get_session.query(sm.permissionview_model).filter_by(
            permission=permission, view_menu=view_menu).first()
    if not pv and permission_name and view_menu_name:
        sm.add_permission_view_menu(permission_name, view_menu_name)
예제 #6
0
def merge_perm(sm, permission_name, view_menu_name):
    pv = sm.find_permission_view_menu(permission_name, view_menu_name)
    if not pv:
        sm.add_permission_view_menu(permission_name, view_menu_name)
예제 #7
0
def sync_role_definitions():
    """Inits the Superset application with security roles and such"""
    logging.info("Syncing role definition")

    # Creating default roles
    alpha = sm.add_role("Alpha")
    admin = sm.add_role("Admin")
    gamma = sm.add_role("Gamma")
    public = sm.add_role("Public")
    sql_lab = sm.add_role("sql_lab")
    granter = sm.add_role("granter")

    get_or_create_main_db()

    # Global perms
    sm.add_permission_view_menu('all_datasource_access',
                                'all_datasource_access')
    sm.add_permission_view_menu('all_database_access', 'all_database_access')

    perms = db.session.query(ab_models.PermissionView).all()
    perms = [p for p in perms if p.permission and p.view_menu]

    logging.info("Syncing admin perms")
    for p in perms:
        # admin has all_database_access and all_datasource_access
        if is_user_defined_permission(p):
            sm.del_permission_role(admin, p)
        else:
            sm.add_permission_role(admin, p)

    logging.info("Syncing alpha perms")
    for p in perms:
        # alpha has all_database_access and all_datasource_access
        if is_user_defined_permission(p):
            sm.del_permission_role(alpha, p)
        elif ((p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES
               and p.permission.name not in ADMIN_ONLY_PERMISSIONS)
              or (p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT):
            sm.add_permission_role(alpha, p)
        else:
            sm.del_permission_role(alpha, p)

    logging.info("Syncing gamma perms and public if specified")
    PUBLIC_ROLE_LIKE_GAMMA = conf.get('PUBLIC_ROLE_LIKE_GAMMA', False)
    for p in perms:
        if ((p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES
             and p.permission.name not in ADMIN_ONLY_PERMISSIONS
             and p.permission.name not in ALPHA_ONLY_PERMISSIONS)
                or (p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT):
            sm.add_permission_role(gamma, p)
            if PUBLIC_ROLE_LIKE_GAMMA:
                sm.add_permission_role(public, p)
        else:
            sm.del_permission_role(gamma, p)
            sm.del_permission_role(public, p)

    logging.info("Syncing sql_lab perms")
    for p in perms:
        if (p.view_menu.name in {'SQL Lab'} or p.permission.name
                in {'can_sql_json', 'can_csv', 'can_search_queries'}):
            sm.add_permission_role(sql_lab, p)
        else:
            sm.del_permission_role(sql_lab, p)

    logging.info("Syncing granter perms")
    for p in perms:
        if (p.permission.name
                in {'can_override_role_permissions', 'can_aprove'}):
            sm.add_permission_role(granter, p)
        else:
            sm.del_permission_role(granter, p)

    logging.info("Making sure all data source perms have been created")
    session = db.session()
    datasources = [o for o in session.query(models.SqlaTable).all()]
    datasources += [o for o in session.query(models.DruidDatasource).all()]
    for datasource in datasources:
        perm = datasource.get_perm()
        sm.add_permission_view_menu('datasource_access', perm)
        if perm != datasource.perm:
            datasource.perm = perm

    logging.info("Making sure all database perms have been created")
    databases = [o for o in session.query(models.Database).all()]
    for database in databases:
        perm = database.get_perm()
        if perm != database.perm:
            database.perm = perm
        sm.add_permission_view_menu('database_access', perm)
    session.commit()

    logging.info("Making sure all metrics perms exist")
    models.init_metrics_perm()
예제 #8
0
def sync_role_definitions():
    """Inits the Superset application with security roles and such"""
    logging.info("Syncing role definition")

    # Creating default roles
    alpha = sm.add_role("Alpha")
    admin = sm.add_role("Admin")
    gamma = sm.add_role("Gamma")
    public = sm.add_role("Public")
    sql_lab = sm.add_role("sql_lab")
    granter = sm.add_role("granter")

    get_or_create_main_db()

    # Global perms
    sm.add_permission_view_menu(
        'all_datasource_access', 'all_datasource_access')
    sm.add_permission_view_menu('all_database_access', 'all_database_access')

    perms = db.session.query(ab_models.PermissionView).all()
    perms = [p for p in perms if p.permission and p.view_menu]

    logging.info("Syncing admin perms")
    for p in perms:
        # admin has all_database_access and all_datasource_access
        if is_user_defined_permission(p):
            sm.del_permission_role(admin, p)
        else:
            sm.add_permission_role(admin, p)

    logging.info("Syncing alpha perms")
    for p in perms:
        # alpha has all_database_access and all_datasource_access
        if is_user_defined_permission(p):
            sm.del_permission_role(alpha, p)
        elif (
                (
                    p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES and
                    p.permission.name not in ADMIN_ONLY_PERMISSIONS
                ) or
                (p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT
        ):
            sm.add_permission_role(alpha, p)
        else:
            sm.del_permission_role(alpha, p)

    logging.info("Syncing gamma perms and public if specified")
    PUBLIC_ROLE_LIKE_GAMMA = conf.get('PUBLIC_ROLE_LIKE_GAMMA', False)
    for p in perms:
        if (
                (
                    p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES and
                    p.permission.name not in ADMIN_ONLY_PERMISSIONS and
                    p.permission.name not in ALPHA_ONLY_PERMISSIONS
                ) or
                (p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT
        ):
            sm.add_permission_role(gamma, p)
            if PUBLIC_ROLE_LIKE_GAMMA:
                sm.add_permission_role(public, p)
        else:
            sm.del_permission_role(gamma, p)
            sm.del_permission_role(public, p)

    logging.info("Syncing sql_lab perms")
    for p in perms:
        if (
                p.view_menu.name in {'SQL Lab'} or
                p.permission.name in {
                    'can_sql_json', 'can_csv', 'can_search_queries'}
        ):
            sm.add_permission_role(sql_lab, p)
        else:
            sm.del_permission_role(sql_lab, p)

    logging.info("Syncing granter perms")
    for p in perms:
        if (
                p.permission.name in {
                    'can_override_role_permissions', 'can_aprove'}
        ):
            sm.add_permission_role(granter, p)
        else:
            sm.del_permission_role(granter, p)

    logging.info("Making sure all data source perms have been created")
    session = db.session()
    datasources = [
        o for o in session.query(models.SqlaTable).all()]
    datasources += [
        o for o in session.query(models.DruidDatasource).all()]
    for datasource in datasources:
        perm = datasource.get_perm()
        sm.add_permission_view_menu('datasource_access', perm)
        if perm != datasource.perm:
            datasource.perm = perm

    logging.info("Making sure all database perms have been created")
    databases = [o for o in session.query(models.Database).all()]
    for database in databases:
        perm = database.get_perm()
        if perm != database.perm:
            database.perm = perm
        sm.add_permission_view_menu('database_access', perm)
    session.commit()

    logging.info("Making sure all metrics perms exist")
    models.init_metrics_perm()
예제 #9
0
def sync_role_definitions():
    """Inits the Superset application with security roles and such"""
    logging.info("Syncing role definition")

    # Creating default roles
    alpha = sm.add_role("Alpha")
    admin = sm.add_role("Admin")
    gamma = sm.add_role("Gamma")
    public = sm.add_role("Public")
    sql_lab = sm.add_role("sql_lab")
    granter = sm.add_role("granter")
    dashboard_access = sm.add_role("dashboard_access")
    dashboard_edit = sm.add_role("dashboard_edit")
    slice_access = sm.add_role("slice_access")
    slice_edit = sm.add_role("slice_edit")
    datasource_access = sm.add_role("datasource_access")
    datasource_edit = sm.add_role("datasource_edit")
    manage_edit = sm.add_role("manage_edit")
    user_role_edit = sm.add_role("user_role_edit")

    get_or_create_main_db()

    # Global perms
    merge_perm(sm, 'all_datasource_access', 'all_datasource_access')
    merge_perm(sm, 'all_database_access', 'all_database_access')

    perms = db.session.query(ab_models.PermissionView).all()
    perms = [p for p in perms if p.permission and p.view_menu]

    logging.info("Syncing admin perms")
    for p in perms:
        # admin has all_database_access and all_datasource_access
        if is_user_defined_permission(p):
            sm.del_permission_role(admin, p)
        else:
            sm.add_permission_role(admin, p)

    logging.info("Syncing alpha perms")
    for p in perms:
        # alpha has all_database_access and all_datasource_access
        if is_user_defined_permission(p):
            sm.del_permission_role(alpha, p)
        elif ((p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES
               and p.permission.name not in ADMIN_ONLY_PERMISSIONS)
              or (p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT):
            sm.add_permission_role(alpha, p)
        else:
            sm.del_permission_role(alpha, p)

    logging.info("Syncing gamma perms and public if specified")
    PUBLIC_ROLE_LIKE_GAMMA = conf.get('PUBLIC_ROLE_LIKE_GAMMA', False)
    for p in perms:
        if ((p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES
             and p.view_menu.name not in GAMMA_READ_ONLY_MODELVIEWS
             and p.permission.name not in ADMIN_ONLY_PERMISSIONS
             and p.permission.name not in ALPHA_ONLY_PERMISSIONS) or
            (p.permission.name, p.view_menu.name) in GAMMA_READ_ONLY_PRODUCT):
            sm.add_permission_role(gamma, p)
            if PUBLIC_ROLE_LIKE_GAMMA:
                sm.add_permission_role(public, p)
        else:
            sm.del_permission_role(gamma, p)
            sm.del_permission_role(public, p)

    logging.info("Syncing sql_lab perms")
    for p in perms:
        if (p.view_menu.name in {'SQL Lab'} or p.permission.name
                in {'can_sql_json', 'can_csv', 'can_search_queries'}):
            sm.add_permission_role(sql_lab, p)
        else:
            sm.del_permission_role(sql_lab, p)

    logging.info("Syncing granter perms")
    for p in perms:
        if (p.permission.name
                in {'can_override_role_permissions', 'can_aprove'}):
            sm.add_permission_role(granter, p)
        else:
            sm.del_permission_role(granter, p)

    logging.info("Syncing dashboard_access perms")
    for p in perms:
        if (p.view_menu.name in {'Dashboards'} or p.permission.name in {
                'can_explore', 'can_explore_json', 'can_slice',
                'can_created_dashboards', 'can_fave_dashboards',
                'all_datasource_access', 'all_database_access', 'can_profile'
        } or (p.permission.name in {'can_list', 'can_show', 'can_download'}
              and p.view_menu.name in {'DashboardModelView'}) or
            (p.permission.name in {'can_list', 'can_show', 'can_download'}
             and p.view_menu.name in {'DashboardModelViewAsync'})
                or (p.permission.name in {
                    'can_show', 'can_edit', 'can_download', 'can_userinfo',
                    'resetmypassword', 'userinfoedit'
                } and p.view_menu.name in {'UserDBModelView'})):
            sm.add_permission_role(dashboard_access, p)
        else:
            sm.del_permission_role(dashboard_access, p)

    logging.info("Syncing dashboard_edit perms")
    for p in perms:
        if (p.view_menu.name in {'Dashboards'} or p.permission.name in {
                'can_explore', 'can_explore_json', 'can_slice',
                'can_created_dashboards', 'can_fave_dashboards',
                'all_datasource_access', 'all_database_access', 'can_profile'
        } or (p.permission.name in {
                'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
                'can_edit', 'can_download', 'mulexport'
        } and p.view_menu.name in {'DashboardModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'muldelete', 'can_edit', 'can_download', 'mulexport'
                } and p.view_menu.name in {'DashboardModelViewAsync'})
                or (p.permission.name in {
                    'can_show', 'can_edit', 'can_download', 'can_userinfo',
                    'resetmypassword', 'userinfoedit'
                } and p.view_menu.name in {'UserDBModelView'})):
            sm.add_permission_role(dashboard_edit, p)
        else:
            sm.del_permission_role(dashboard_edit, p)

    logging.info("Syncing slice_access perms")
    for p in perms:
        if (p.view_menu.name in {'Slices'} or p.permission.name in {
                'can_explore', 'can_explore_json', 'can_slice',
                'can_created_slices', 'can_fave_slices',
                'all_datasource_access', 'all_database_access', 'can_profile'
        } or (p.permission.name in {'can_list', 'can_show', 'can_download'}
              and p.view_menu.name in {'SliceModelView'}) or
            (p.permission.name in {'can_list', 'can_show', 'can_download'}
             and p.view_menu.name in {'SliceAsync'}) or (p.permission.name in {
                 'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
                 'userinfoedit'
             } and p.view_menu.name in {'UserDBModelView'})):
            sm.add_permission_role(slice_access, p)
        else:
            sm.del_permission_role(slice_access, p)

    logging.info("Syncing slice_edit perms")
    for p in perms:
        if (p.view_menu.name in {'Slices'} or p.permission.name in {
                'can_explore', 'can_explore_json', 'can_slice',
                'can_created_slices', 'can_fave_slices', 'can_add_slices',
                'all_datasource_access', 'all_database_access', 'can_profile'
        } or (p.permission.name in {
                'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
                'can_edit', 'can_download'
        } and p.view_menu.name in {'SliceModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'muldelete', 'can_edit', 'can_download'
                } and p.view_menu.name in {'SliceAsync'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'muldelete', 'can_edit', 'can_download'
                } and p.view_menu.name in {'SliceAddView'})
                or (p.permission.name in {
                    'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
                    'userinfoedit'
                } and p.view_menu.name in {'UserDBModelView'})):
            sm.add_permission_role(slice_edit, p)
        else:
            sm.del_permission_role(slice_edit, p)

    logging.info("Syncing datasource_access perms")
    for p in perms:
        if (p.view_menu.name in {
                'Sources', 'Databases', 'Tables', 'Druid Clusters',
                'Druid Datasources'
        } or p.permission.name in {
                'can_explore', 'can_explore_json', 'all_datasource_access',
                'all_database_access', 'can_profile'
        } or (p.permission.name in {'can_list', 'can_show'}
              and p.view_menu.name in {'DatabaseView'})
                or (p.permission.name in {'can_list', 'can_show'}
                    and p.view_menu.name in {'DatabaseAsync'})
                or (p.permission.name in {'can_list', 'can_show'}
                    and p.view_menu.name in {'TableModelView'})
                or (p.permission.name in {'can_list', 'can_show'}
                    and p.view_menu.name in {'DatabaseTableAsync'})
                or (p.permission.name in {'can_list', 'can_show'}
                    and p.view_menu.name in {'DruidDatasourceModelView'})
                or (p.permission.name in {'can_list', 'can_show'}
                    and p.view_menu.name in {'DruidClusterModelView'})
                or (p.permission.name in {
                    'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
                    'userinfoedit'
                } and p.view_menu.name in {'UserDBModelView'})):
            sm.add_permission_role(datasource_access, p)
        else:
            sm.del_permission_role(datasource_access, p)

    logging.info("Syncing datasource_edit perms")
    for p in perms:
        if (p.view_menu.name in {
                'Sources', 'Databases', 'Tables', 'Druid Clusters',
                'Druid Datasources', 'Refresh Druid Metadata',
                'TableColumnInlineView', 'SqlMetricInlineView'
        } or p.permission.name in {
                'can_explore', 'can_explore_json', 'can_testconn',
                'can_checkbox', 'can_refresh_datasources',
                'all_datasource_access', 'all_database_access', 'can_profile'
        } or (p.permission.name in {
                'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
                'can_edit', 'can_download'
        } and p.view_menu.name in {'DatabaseView'}) or (p.permission.name in {
                'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
                'can_edit', 'can_download'
        } and p.view_menu.name in {'DatabaseAsync'}) or (p.permission.name in {
                'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
                'can_edit', 'can_download'
        } and p.view_menu.name in {'TableModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'muldelete', 'can_edit', 'can_download'
                } and p.view_menu.name in {'DatabaseTablesAsync'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'muldelete', 'can_edit', 'can_download'
                } and p.view_menu.name in {'DruidDatasourceModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'muldelete', 'can_edit', 'can_download'
                } and p.view_menu.name in {'DruidClusterModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download'
                } and p.view_menu.name in {'TableColumnInlineView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download'
                } and p.view_menu.name in {'SqlMetricInlineView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download'
                } and p.view_menu.name in {'DruidColumnInlineView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download'
                } and p.view_menu.name in {'DruidMetricInlineView'})
                or (p.permission.name in {
                    'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
                    'userinfoedit'
                } and p.view_menu.name in {'UserDBModelView'})):
            sm.add_permission_role(datasource_edit, p)
        else:
            sm.del_permission_role(datasource_edit, p)

    logging.info("Syncing manage_edit perms")
    for p in perms:
        if (p.view_menu.name
                in {'Manage', 'Import Dashboards', 'Queries', 'CSS Templates'}
                or p.permission.name in {'can_profile'}
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download'
                } and p.view_menu.name in {'QueryView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download'
                } and p.view_menu.name in {'CssTemplateModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download'
                } and p.view_menu.name in {'CssTemplateAsyncModelView'})
                or (p.permission.name in {'can_add'}
                    and p.view_menu.name in {'DashboardModelView'})
                or (p.permission.name in {'can_add'}
                    and p.view_menu.name in {'SliceAddView'})
                or (p.permission.name in {
                    'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
                    'userinfoedit'
                } and p.view_menu.name in {'UserDBModelView'})):
            sm.add_permission_role(manage_edit, p)
        else:
            sm.del_permission_role(manage_edit, p)

    logging.info("Syncing user_role_edit perms")
    for p in perms:
        if (p.view_menu.name in {
                'Security', 'List Users', 'List Roles', "User's Statistics",
                'Base Permissions', 'Views/Menus', 'Permission on Views/Menus',
                'Access requests', 'Action Log'
        } or p.permission.name in {'can_recent_activity', 'can_profile'}
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'muldelete', 'can_edit', 'can_download', 'can_userinfo',
                    'resetmypassword', 'resetpasswords', 'userinfoedit'
                } and p.view_menu.name in {'UserDBModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'muldelete', 'can_edit', 'can_download', 'Copy Role',
                    'can_update_role', 'can_override_role_permissions'
                } and p.view_menu.name in {'RoleModelView'})
                or (p.permission.name in {'can_chart'}
                    and p.view_menu.name in {'UserStatsChartView'})
                or (p.permission.name in {'can_list'}
                    and p.view_menu.name in {'PermissionModelView'})
                or (p.permission.name in {'can_list'}
                    and p.view_menu.name in {'ViewMenuModelView'})
                or (p.permission.name in {'can_list'}
                    and p.view_menu.name in {'PermissionViewModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download', 'muldelete'
                } and p.view_menu.name in {'AccessRequestsModelView'})
                or (p.permission.name in {
                    'can_list', 'can_show', 'can_add', 'can_delete',
                    'can_edit', 'can_download'
                } and p.view_menu.name in {'LogModelView'}) or
            (p.permission.name in {'can_this_form_post', 'can_this_form_get'}
             and p.view_menu.name in {'ResetMyPasswordView'}) or
            (p.permission.name in {'can_this_form_post', 'can_this_form_get'}
             and p.view_menu.name in {'ResetPasswordView'}) or
            (p.permission.name in {'can_this_form_post', 'can_this_form_get'}
             and p.view_menu.name in {'UserInfoEditView'})):
            sm.add_permission_role(user_role_edit, p)
        else:
            sm.del_permission_role(user_role_edit, p)

    logging.info("Making sure all data source perms have been created")
    session = db.session()
    datasources = [o for o in session.query(models.SqlaTable).all()]
    datasources += [o for o in session.query(models.DruidDatasource).all()]
    for datasource in datasources:
        perm = datasource.get_perm()
        merge_perm(sm, 'datasource_access', perm)
        if datasource.schema:
            merge_perm(sm, 'schema_access', datasource.schema_perm)
        if perm != datasource.perm:
            datasource.perm = perm

    logging.info("Making sure all database perms have been created")
    databases = [o for o in session.query(models.Database).all()]
    for database in databases:
        perm = database.get_perm()
        if perm != database.perm:
            database.perm = perm
        merge_perm(sm, 'database_access', perm)
    session.commit()

    logging.info("Making sure all dashboard perms have been created")
    dashboards = [o for o in session.query(models.Dashboard).all()]
    for dashboard in dashboards:
        perm = dashboard.get_dashboard_title()
        sm.add_permission_view_menu('dashboard_access', perm)
    session.commit()

    logging.info("Making sure all metrics perms exist")
    models.init_metrics_perm()
예제 #10
0
파일: security.py 프로젝트: Kieraya/caravel
def merge_perm(sm, permission_name, view_menu_name):
    pv = sm.find_permission_view_menu(permission_name, view_menu_name)
    if not pv and permission_name and view_menu_name:
        sm.add_permission_view_menu(permission_name, view_menu_name)