def log_change(event_type, dataset, message): log_permission_change( request.user, obj, event_type, serializers.serialize('python', [dataset])[0], message, )
def save_model(self, request, obj, form, change): original_user_access_type = obj.user_access_type obj.user_access_type = ( 'REQUIRES_AUTHORIZATION' if form.cleaned_data['requires_authorization'] else 'REQUIRES_AUTHENTICATION' ) current_authorized_users = set( get_user_model().objects.filter(datasetuserpermission__dataset=obj) ) authorized_users = set( form.cleaned_data.get('authorized_users', get_user_model().objects.none()) ) super().save_model(request, obj, form, change) changed_user_sso_ids = set() for user in authorized_users - current_authorized_users: DataSetUserPermission.objects.create(dataset=obj, user=user) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_DATASET_PERMISSION, {'for_user_id': user.id}, f"Added dataset {obj} permission", ) changed_user_sso_ids.add(str(user.profile.sso_id)) for user in current_authorized_users - authorized_users: DataSetUserPermission.objects.filter(dataset=obj, user=user).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_DATASET_PERMISSION, {'for_user_id': user.id}, f"Removed dataset {obj} permission", ) changed_user_sso_ids.add(str(user.profile.sso_id)) if original_user_access_type != obj.user_access_type: log_permission_change( request.user, obj, EventLog.TYPE_SET_DATASET_USER_ACCESS_TYPE, {"access_type": obj.user_access_type}, f"user_access_type set to {obj.user_access_type}", ) if isinstance(self, MasterDatasetAdmin): if changed_user_sso_ids: sync_quicksight_permissions.delay( user_sso_ids_to_update=tuple(changed_user_sso_ids) ) elif original_user_access_type != obj.user_access_type: sync_quicksight_permissions.delay()
def process_visualisation_catalogue_item_authorized_users_change( authorized_users, request_user, visualisation_catalogue_item, access_type_changed, authorized_email_domains_changed, ): current_authorized_users = set(get_user_model().objects.filter( visualisationuserpermission__visualisation=visualisation_catalogue_item )) changed_users = set() for user in authorized_users - current_authorized_users: VisualisationUserPermission.objects.create( visualisation=visualisation_catalogue_item, user=user) log_permission_change( request_user, visualisation_catalogue_item, EventLog.TYPE_GRANTED_VISUALISATION_PERMISSION, {"for_user_id": user.id}, f"Added visualisation {visualisation_catalogue_item} permission", ) changed_users.add(user) for user in current_authorized_users - authorized_users: VisualisationUserPermission.objects.filter( visualisation=visualisation_catalogue_item, user=user).delete() log_permission_change( request_user, visualisation_catalogue_item, EventLog.TYPE_REVOKED_VISUALISATION_PERMISSION, {"for_user_id": user.id}, f"Removed visualisation {visualisation_catalogue_item} permission", ) changed_users.add(user) if access_type_changed or authorized_email_domains_changed: log_permission_change( request_user, visualisation_catalogue_item, EventLog.TYPE_SET_DATASET_USER_ACCESS_TYPE if access_type_changed else EventLog.TYPE_CHANGED_AUTHORIZED_EMAIL_DOMAIN, {"access_type": visualisation_catalogue_item.user_access_type}, f"user_access_type set to {visualisation_catalogue_item.user_access_type}", ) # As the visualisation's access type has changed, clear cached credentials for all # users to ensure they either: # - lose access if it went from REQUIRES_AUTHENTICATION/OPEN to REQUIRES_AUTHORIZATION # - get access if it went from REQUIRES_AUTHORIZATION to REQUIRES_AUTHENTICATION/OPEN invalidate_superset_user_cached_credentials() else: for user in changed_users: remove_superset_user_cached_credentials(user)
def save_model(self, request, obj, form, change): if obj.visualisation_template and not obj.name: obj.name = obj.visualisation_template.nice_name original_user_access_type = obj.user_access_type obj.user_access_type = ( 'REQUIRES_AUTHORIZATION' if form.cleaned_data['requires_authorization'] else 'REQUIRES_AUTHENTICATION' ) current_authorized_users = set( get_user_model().objects.filter( visualisationuserpermission__visualisation=obj ) ) authorized_users = set( form.cleaned_data.get('authorized_users', get_user_model().objects.none()) ) super().save_model(request, obj, form, change) for user in authorized_users - current_authorized_users: VisualisationUserPermission.objects.create(visualisation=obj, user=user) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_VISUALISATION_PERMISSION, {'for_user_id': user.id}, f"Added visualisation {obj} permission", ) for user in current_authorized_users - authorized_users: VisualisationUserPermission.objects.filter( visualisation=obj, user=user ).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_VISUALISATION_PERMISSION, {'for_user_id': user.id}, f"Removed visualisation {obj} permission", ) if original_user_access_type != obj.user_access_type: log_permission_change( request.user, obj, EventLog.TYPE_SET_DATASET_USER_ACCESS_TYPE, {"access_type": obj.user_access_type}, f"user_access_type set to {obj.user_access_type}", )
def log_change(event_type, permission, message): log_permission_change(request.user, obj, event_type, {'permission': permission}, message)
def save_model(self, request, obj, form, change): obj.username = form.cleaned_data['email'] def log_change(event_type, permission, message): log_permission_change(request.user, obj, event_type, {'permission': permission}, message) start_all_applications_permission = Permission.objects.get( codename='start_all_applications', content_type=ContentType.objects.get_for_model( ApplicationInstance), ) develop_visualisations_permission = Permission.objects.get( codename='develop_visualisations', content_type=ContentType.objects.get_for_model( ApplicationInstance), ) access_appstream_permission = Permission.objects.get( codename='access_appstream', content_type=ContentType.objects.get_for_model( ApplicationInstance), ) if 'can_start_all_applications' in form.cleaned_data: if (form.cleaned_data['can_start_all_applications'] and start_all_applications_permission not in obj.user_permissions.all()): obj.user_permissions.add(start_all_applications_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, 'can_start_all_applications', 'Added can_start_all_applications permission', ) elif (not form.cleaned_data['can_start_all_applications'] and start_all_applications_permission in obj.user_permissions.all()): obj.user_permissions.remove(start_all_applications_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, 'can_start_all_applications', 'Removed can_start_all_applications permission', ) if 'can_develop_visualisations' in form.cleaned_data: if (form.cleaned_data['can_develop_visualisations'] and develop_visualisations_permission not in obj.user_permissions.all()): obj.user_permissions.add(develop_visualisations_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, 'can_develop_visualisations', 'Added can_develop_visualisations permission', ) elif (not form.cleaned_data['can_develop_visualisations'] and develop_visualisations_permission in obj.user_permissions.all()): obj.user_permissions.remove(develop_visualisations_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, 'can_develop_visualisations', 'Removed can_develop_visualisations permission', ) if 'can_access_appstream' in form.cleaned_data: if (form.cleaned_data['can_access_appstream'] and access_appstream_permission not in obj.user_permissions.all()): obj.user_permissions.add(access_appstream_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, 'can_access_appstream', 'Added can_access_appstream permission', ) elif (not form.cleaned_data['can_access_appstream'] and access_appstream_permission in obj.user_permissions.all()): obj.user_permissions.remove(access_appstream_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, 'can_access_appstream', 'Removed can_access_appstream permission', ) current_datasets = set( DataSet.objects.live().filter(datasetuserpermission__user=obj)) authorized_datasets = set( form.cleaned_data.get('authorized_master_datasets', DataSet.objects.none()).union( form.cleaned_data.get( 'authorized_data_cut_datasets', DataSet.objects.none()))) for dataset in authorized_datasets - current_datasets: DataSetUserPermission.objects.create(dataset=dataset, user=obj) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_DATASET_PERMISSION, serializers.serialize('python', [dataset])[0], f"Added dataset {dataset} permission", ) for dataset in current_datasets - authorized_datasets: DataSetUserPermission.objects.filter(dataset=dataset, user=obj).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_DATASET_PERMISSION, serializers.serialize('python', [dataset])[0], f"Removed dataset {dataset} permission", ) if 'authorized_visualisations' in form.cleaned_data: current_visualisations = ApplicationTemplate.objects.filter( application_type='VISUALISATION', applicationtemplateuserpermission__user=obj, ) for application_template in form.cleaned_data[ 'authorized_visualisations']: if application_template not in current_visualisations.all(): ApplicationTemplateUserPermission.objects.create( application_template=application_template, user=obj) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_VISUALISATION_PERMISSION, serializers.serialize('python', [application_template])[0], f"Added application {application_template} permission", ) for application_template in current_visualisations: if (application_template not in form.cleaned_data['authorized_visualisations']): ApplicationTemplateUserPermission.objects.filter( application_template=application_template, user=obj).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_VISUALISATION_PERMISSION, serializers.serialize('python', [application_template])[0], f"Removed application {application_template} permission", ) super().save_model(request, obj, form, change)
def save_model(self, request, obj, form, change): obj.username = form.cleaned_data['email'] def log_change(event_type, permission, message): log_permission_change(request.user, obj, event_type, {'permission': permission}, message) start_all_applications_permission = Permission.objects.get( codename='start_all_applications', content_type=ContentType.objects.get_for_model( ApplicationInstance), ) develop_visualisations_permission = Permission.objects.get( codename='develop_visualisations', content_type=ContentType.objects.get_for_model( ApplicationInstance), ) access_appstream_permission = Permission.objects.get( codename='access_appstream', content_type=ContentType.objects.get_for_model( ApplicationInstance), ) access_quicksight_permission = Permission.objects.get( codename='access_quicksight', content_type=ContentType.objects.get_for_model( ApplicationInstance), ) if 'can_start_all_applications' in form.cleaned_data: if (form.cleaned_data['can_start_all_applications'] and start_all_applications_permission not in obj.user_permissions.all()): obj.user_permissions.add(start_all_applications_permission) if not obj.profile.tools_access_role_arn: create_tools_access_iam_role_task.delay(obj.id) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, 'can_start_all_applications', 'Added can_start_all_applications permission', ) elif (not form.cleaned_data['can_start_all_applications'] and start_all_applications_permission in obj.user_permissions.all()): obj.user_permissions.remove(start_all_applications_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, 'can_start_all_applications', 'Removed can_start_all_applications permission', ) if 'can_develop_visualisations' in form.cleaned_data: if (form.cleaned_data['can_develop_visualisations'] and develop_visualisations_permission not in obj.user_permissions.all()): obj.user_permissions.add(develop_visualisations_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, 'can_develop_visualisations', 'Added can_develop_visualisations permission', ) elif (not form.cleaned_data['can_develop_visualisations'] and develop_visualisations_permission in obj.user_permissions.all()): obj.user_permissions.remove(develop_visualisations_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, 'can_develop_visualisations', 'Removed can_develop_visualisations permission', ) if 'can_access_appstream' in form.cleaned_data: if (form.cleaned_data['can_access_appstream'] and access_appstream_permission not in obj.user_permissions.all()): obj.user_permissions.add(access_appstream_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, 'can_access_appstream', 'Added can_access_appstream permission', ) elif (not form.cleaned_data['can_access_appstream'] and access_appstream_permission in obj.user_permissions.all()): obj.user_permissions.remove(access_appstream_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, 'can_access_appstream', 'Removed can_access_appstream permission', ) if 'can_access_quicksight' in form.cleaned_data: if (form.cleaned_data['can_access_quicksight'] and access_quicksight_permission not in obj.user_permissions.all()): obj.user_permissions.add(access_quicksight_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, 'can_access_quicksight', 'Added can_access_quicksight permission', ) elif (not form.cleaned_data['can_access_quicksight'] and access_quicksight_permission in obj.user_permissions.all()): obj.user_permissions.remove(access_quicksight_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, 'can_access_quicksight', 'Removed can_access_quicksight permission', ) current_datasets = set( DataSet.objects.live().filter(datasetuserpermission__user=obj)) authorized_datasets = set( form.cleaned_data.get('authorized_master_datasets', DataSet.objects.none()).union( form.cleaned_data.get( 'authorized_data_cut_datasets', DataSet.objects.none()))) update_quicksight_permissions = False for dataset in authorized_datasets - current_datasets: DataSetUserPermission.objects.create(dataset=dataset, user=obj) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_DATASET_PERMISSION, serializers.serialize('python', [dataset])[0], f"Added dataset {dataset} permission", ) if dataset.type == DataSetType.MASTER.value: update_quicksight_permissions = True for dataset in current_datasets - authorized_datasets: DataSetUserPermission.objects.filter(dataset=dataset, user=obj).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_DATASET_PERMISSION, serializers.serialize('python', [dataset])[0], f"Removed dataset {dataset} permission", ) if dataset.type == DataSetType.MASTER.value: update_quicksight_permissions = True if 'authorized_visualisations' in form.cleaned_data: current_visualisations = VisualisationCatalogueItem.objects.filter( visualisationuserpermission__user=obj) for visualisation_catalogue_item in form.cleaned_data[ 'authorized_visualisations']: if visualisation_catalogue_item not in current_visualisations.all( ): VisualisationUserPermission.objects.create( visualisation=visualisation_catalogue_item, user=obj) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_VISUALISATION_PERMISSION, serializers.serialize( 'python', [visualisation_catalogue_item])[0], f"Added application {visualisation_catalogue_item} permission", ) for visualisation_catalogue_item in current_visualisations: if (visualisation_catalogue_item not in form.cleaned_data['authorized_visualisations']): VisualisationUserPermission.objects.filter( visualisation=visualisation_catalogue_item, user=obj).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_VISUALISATION_PERMISSION, serializers.serialize( 'python', [visualisation_catalogue_item])[0], f"Removed application {visualisation_catalogue_item} permission", ) if 'home_directory_efs_access_point_id' in form.cleaned_data: obj.profile.home_directory_efs_access_point_id = form.cleaned_data[ 'home_directory_efs_access_point_id'] if 'tools_access_role_arn' in form.cleaned_data: obj.profile.tools_access_role_arn = form.cleaned_data[ 'tools_access_role_arn'] super().save_model(request, obj, form, change) if update_quicksight_permissions: sync_quicksight_permissions.delay( user_sso_ids_to_update=(str(obj.profile.sso_id), ))
def process_dataset_authorized_users_change( authorized_users, request_user, dataset, access_type_changed, authorized_email_domains_changed, is_master_dataset, ): current_authorized_users = set(get_user_model().objects.filter( datasetuserpermission__dataset=dataset)) changed_users = set() for user in authorized_users - current_authorized_users: DataSetUserPermission.objects.create(dataset=dataset, user=user) log_permission_change( request_user, dataset, EventLog.TYPE_GRANTED_DATASET_PERMISSION, {"for_user_id": user.id}, f"Added dataset {dataset} permission", ) changed_users.add(user) clear_schema_info_cache_for_user(user) for user in current_authorized_users - authorized_users: DataSetUserPermission.objects.filter(dataset=dataset, user=user).delete() log_permission_change( request_user, dataset, EventLog.TYPE_REVOKED_DATASET_PERMISSION, {"for_user_id": user.id}, f"Removed dataset {dataset} permission", ) changed_users.add(user) clear_schema_info_cache_for_user(user) if access_type_changed or authorized_email_domains_changed: log_permission_change( request_user, dataset, EventLog.TYPE_SET_DATASET_USER_ACCESS_TYPE if access_type_changed else EventLog.TYPE_CHANGED_AUTHORIZED_EMAIL_DOMAIN, {"access_type": dataset.user_access_type}, f"user_access_type set to {dataset.user_access_type}", ) # As the dataset's access type has changed, clear cached credentials for all # users to ensure they either: # - lose access if it went from REQUIRES_AUTHENTICATION/OPEN to REQUIRES_AUTHORIZATION # - get access if it went from REQUIRES_AUTHORIZATION to REQUIRES_AUTHENTICATION/OPEN invalidate_data_explorer_user_cached_credentials() invalidate_superset_user_cached_credentials() else: for user in changed_users: remove_data_explorer_user_cached_credentials(user) remove_superset_user_cached_credentials(user) if is_master_dataset: if changed_users: # If we're changing permissions for loads of users, let's just do a full quicksight re-sync. # Makes fewer AWS calls and probably completes as quickly if not quicker. if len(changed_users) >= 50: sync_quicksight_permissions.delay() else: changed_user_sso_ids = [ str(u.profile.sso_id) for u in changed_users ] sync_quicksight_permissions.delay( user_sso_ids_to_update=tuple(changed_user_sso_ids)) elif access_type_changed: sync_quicksight_permissions.delay()
def save_model(self, request, obj, form, change): original_user_access_type = obj.user_access_type obj.user_access_type = ('REQUIRES_AUTHORIZATION' if form.cleaned_data['requires_authorization'] else 'REQUIRES_AUTHENTICATION') current_authorized_users = set(get_user_model().objects.filter( datasetuserpermission__dataset=obj)) authorized_users = set( form.cleaned_data.get('authorized_users', get_user_model().objects.none())) super().save_model(request, obj, form, change) changed_user_sso_ids = set() clear_schema_info_cache = False for user in authorized_users - current_authorized_users: DataSetUserPermission.objects.create(dataset=obj, user=user) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_DATASET_PERMISSION, {'for_user_id': user.id}, f"Added dataset {obj} permission", ) changed_user_sso_ids.add(str(user.profile.sso_id)) clear_schema_info_cache = True for user in current_authorized_users - authorized_users: DataSetUserPermission.objects.filter(dataset=obj, user=user).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_DATASET_PERMISSION, {'for_user_id': user.id}, f"Removed dataset {obj} permission", ) changed_user_sso_ids.add(str(user.profile.sso_id)) clear_schema_info_cache = True if clear_schema_info_cache: clear_schema_info_cache_for_user(user) if original_user_access_type != obj.user_access_type: log_permission_change( request.user, obj, EventLog.TYPE_SET_DATASET_USER_ACCESS_TYPE, {"access_type": obj.user_access_type}, f"user_access_type set to {obj.user_access_type}", ) if isinstance(self, MasterDatasetAdmin): if changed_user_sso_ids: # If we're changing permissions for loads of users, let's just do a full quicksight re-sync. # Makes fewer AWS calls and probably completes as quickly if not quicker. if len(changed_user_sso_ids) >= 50: sync_quicksight_permissions.delay() else: sync_quicksight_permissions.delay( user_sso_ids_to_update=tuple(changed_user_sso_ids)) elif original_user_access_type != obj.user_access_type: sync_quicksight_permissions.delay()
def save_model(self, request, obj, form, change): obj.username = form.cleaned_data["email"] def log_change(event_type, permission, message): log_permission_change(request.user, obj, event_type, {"permission": permission}, message) start_all_applications_permission = Permission.objects.get( codename="start_all_applications", content_type=ContentType.objects.get_for_model( ApplicationInstance), ) develop_visualisations_permission = Permission.objects.get( codename="develop_visualisations", content_type=ContentType.objects.get_for_model( ApplicationInstance), ) access_appstream_permission = Permission.objects.get( codename="access_appstream", content_type=ContentType.objects.get_for_model( ApplicationInstance), ) access_quicksight_permission = Permission.objects.get( codename="access_quicksight", content_type=ContentType.objects.get_for_model( ApplicationInstance), ) if "can_start_all_applications" in form.cleaned_data: if (form.cleaned_data["can_start_all_applications"] and start_all_applications_permission not in obj.user_permissions.all()): obj.user_permissions.add(start_all_applications_permission) if not obj.profile.tools_access_role_arn: create_tools_access_iam_role_task.delay(obj.id) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, "can_start_all_applications", "Added can_start_all_applications permission", ) elif (not form.cleaned_data["can_start_all_applications"] and start_all_applications_permission in obj.user_permissions.all()): obj.user_permissions.remove(start_all_applications_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, "can_start_all_applications", "Removed can_start_all_applications permission", ) if "can_develop_visualisations" in form.cleaned_data: if (form.cleaned_data["can_develop_visualisations"] and develop_visualisations_permission not in obj.user_permissions.all()): obj.user_permissions.add(develop_visualisations_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, "can_develop_visualisations", "Added can_develop_visualisations permission", ) elif (not form.cleaned_data["can_develop_visualisations"] and develop_visualisations_permission in obj.user_permissions.all()): obj.user_permissions.remove(develop_visualisations_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, "can_develop_visualisations", "Removed can_develop_visualisations permission", ) if "can_access_appstream" in form.cleaned_data: if (form.cleaned_data["can_access_appstream"] and access_appstream_permission not in obj.user_permissions.all()): try: add_user_access_profile(obj, "appstream") except SSOApiException as e: messages.error( request, "Unable to give user access to appstream via SSO API: %s" % e, ) obj.user_permissions.add(access_appstream_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, "can_access_appstream", "Added can_access_appstream permission", ) elif (not form.cleaned_data["can_access_appstream"] and access_appstream_permission in obj.user_permissions.all()): try: remove_user_access_profile(obj, "appstream") except SSOApiException as e: messages.error( request, "Unable to revoke user access to appstream via SSO API: %s" % e, ) obj.user_permissions.remove(access_appstream_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, "can_access_appstream", "Removed can_access_appstream permission", ) if "can_access_quicksight" in form.cleaned_data: if (form.cleaned_data["can_access_quicksight"] and access_quicksight_permission not in obj.user_permissions.all()): try: add_user_access_profile(obj, "quicksight") except SSOApiException as e: messages.error( request, "Unable to give user access to quicksight via SSO API: %s" % e, ) obj.user_permissions.add(access_quicksight_permission) log_change( EventLog.TYPE_GRANTED_USER_PERMISSION, "can_access_quicksight", "Added can_access_quicksight permission", ) elif (not form.cleaned_data["can_access_quicksight"] and access_quicksight_permission in obj.user_permissions.all()): try: remove_user_access_profile(obj, "quicksight") except SSOApiException as e: messages.error( request, "Unable to revoke user access to quicksight via SSO API: %s" % e, ) obj.user_permissions.remove(access_quicksight_permission) log_change( EventLog.TYPE_REVOKED_USER_PERMISSION, "can_access_quicksight", "Removed can_access_quicksight permission", ) current_datasets = set( DataSet.objects.live().filter(datasetuserpermission__user=obj)) authorized_datasets = set( form.cleaned_data.get("authorized_master_datasets", DataSet.objects.none()).union( form.cleaned_data.get( "authorized_data_cut_datasets", DataSet.objects.none()))) update_quicksight_permissions = False clear_schema_info_and_credentials_cache = False for dataset in authorized_datasets - current_datasets: DataSetUserPermission.objects.create(dataset=dataset, user=obj) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_DATASET_PERMISSION, serializers.serialize("python", [dataset])[0], f"Added dataset {dataset} permission", ) if dataset.type == DataSetType.MASTER: update_quicksight_permissions = True clear_schema_info_and_credentials_cache = True for dataset in current_datasets - authorized_datasets: DataSetUserPermission.objects.filter(dataset=dataset, user=obj).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_DATASET_PERMISSION, serializers.serialize("python", [dataset])[0], f"Removed dataset {dataset} permission", ) if dataset.type == DataSetType.MASTER: update_quicksight_permissions = True clear_schema_info_and_credentials_cache = True if clear_schema_info_and_credentials_cache and obj.pk: clear_schema_info_cache_for_user(obj) remove_data_explorer_user_cached_credentials(obj) if "authorized_visualisations" in form.cleaned_data: current_visualisations = VisualisationCatalogueItem.objects.filter( visualisationuserpermission__user=obj) for visualisation_catalogue_item in form.cleaned_data[ "authorized_visualisations"]: if visualisation_catalogue_item not in current_visualisations.all( ): VisualisationUserPermission.objects.create( visualisation=visualisation_catalogue_item, user=obj) log_permission_change( request.user, obj, EventLog.TYPE_GRANTED_VISUALISATION_PERMISSION, serializers.serialize( "python", [visualisation_catalogue_item])[0], f"Added application {visualisation_catalogue_item} permission", ) for visualisation_catalogue_item in current_visualisations: if (visualisation_catalogue_item not in form.cleaned_data["authorized_visualisations"]): VisualisationUserPermission.objects.filter( visualisation=visualisation_catalogue_item, user=obj).delete() log_permission_change( request.user, obj, EventLog.TYPE_REVOKED_VISUALISATION_PERMISSION, serializers.serialize( "python", [visualisation_catalogue_item])[0], f"Removed application {visualisation_catalogue_item} permission", ) if "home_directory_efs_access_point_id" in form.cleaned_data: obj.profile.home_directory_efs_access_point_id = form.cleaned_data[ "home_directory_efs_access_point_id"] if "tools_access_role_arn" in form.cleaned_data: obj.profile.tools_access_role_arn = form.cleaned_data[ "tools_access_role_arn"] super().save_model(request, obj, form, change) if update_quicksight_permissions: sync_quicksight_permissions.delay( user_sso_ids_to_update=(str(obj.profile.sso_id), ))