def raise_for_dashboard_access(dashboard: "Dashboard") -> None: """ Raise an exception if the user cannot access the dashboard. :param dashboard: Dashboard the user wants access to :raises DashboardAccessDeniedError: If the user cannot access the resource """ # pylint: disable=import-outside-toplevel from superset import is_feature_enabled from superset.dashboards.commands.exceptions import DashboardAccessDeniedError from superset.views.base import get_user_roles, is_user_admin from superset.views.utils import is_owner has_rbac_access = True if is_feature_enabled("DASHBOARD_RBAC"): has_rbac_access = any( dashboard_role.id in [user_role.id for user_role in get_user_roles()] for dashboard_role in dashboard.roles ) can_access = ( is_user_admin() or is_owner(dashboard, g.user) or (dashboard.published and has_rbac_access) or (not dashboard.published and not dashboard.roles) ) if not can_access: raise DashboardAccessDeniedError()
def apply(self, query: Query, value: Any) -> Query: user_roles = [role.name.lower() for role in list(get_user_roles())] if "admin" in user_roles: return query datasource_perms = security_manager.user_view_menu_names("datasource_access") schema_perms = security_manager.user_view_menu_names("schema_access") published_dash_query = ( db.session.query(Dashboard.id) .join(Dashboard.slices) .filter( and_( Dashboard.published == True, # pylint: disable=singleton-comparison or_( Slice.perm.in_(datasource_perms), Slice.schema_perm.in_(schema_perms), security_manager.can_access_all_datasources(), ), ) ) ) users_favorite_dash_query = db.session.query(FavStar.obj_id).filter( and_( FavStar.user_id == security_manager.user_model.get_user_id(), FavStar.class_name == "Dashboard", ) ) owner_ids_query = ( db.session.query(Dashboard.id) .join(Dashboard.owners) .filter( security_manager.user_model.id == security_manager.user_model.get_user_id() ) ) if "custom" in user_roles: query = query.filter( and_( Dashboard.id.in_(owner_ids_query), ) ) return query query = query.filter( or_( Dashboard.id.in_(owner_ids_query), Dashboard.id.in_(published_dash_query), Dashboard.id.in_(users_favorite_dash_query), ) ) return query
def apply(self, query: Query, value: Any) -> Query: if is_user_admin(): return query datasource_perms = security_manager.user_view_menu_names( "datasource_access") schema_perms = security_manager.user_view_menu_names("schema_access") is_rbac_disabled_filter = [] dashboard_has_roles = Dashboard.roles.any() if is_feature_enabled("DASHBOARD_RBAC"): is_rbac_disabled_filter.append(~dashboard_has_roles) datasource_perm_query = (db.session.query(Dashboard.id).join( Dashboard.slices).filter( and_( Dashboard.published.is_(True), *is_rbac_disabled_filter, or_( Slice.perm.in_(datasource_perms), Slice.schema_perm.in_(schema_perms), security_manager.can_access_all_datasources(), ), ))) users_favorite_dash_query = db.session.query(FavStar.obj_id).filter( and_( FavStar.user_id == security_manager.user_model.get_user_id(), FavStar.class_name == "Dashboard", )) owner_ids_query = (db.session.query(Dashboard.id).join( Dashboard.owners).filter( security_manager.user_model.id == security_manager.user_model.get_user_id())) dashboard_rbac_or_filters = [] if is_feature_enabled("DASHBOARD_RBAC"): roles_based_query = (db.session.query(Dashboard.id).join( Dashboard.roles).filter( and_( Dashboard.published.is_(True), dashboard_has_roles, Role.id.in_([x.id for x in get_user_roles()]), ), )) dashboard_rbac_or_filters.append( Dashboard.id.in_(roles_based_query)) query = query.filter( or_( Dashboard.id.in_(owner_ids_query), Dashboard.id.in_(datasource_perm_query), Dashboard.id.in_(users_favorite_dash_query), *dashboard_rbac_or_filters, )) return query
def raise_for_dashboard_access(dashboard: Dashboard) -> None: from superset.views.base import get_user_roles, is_user_admin from superset.views.utils import is_owner if is_feature_enabled("DASHBOARD_RBAC"): has_rbac_access = any(dashboard_role.id in [user_role.id for user_role in get_user_roles()] for dashboard_role in dashboard.roles) can_access = (is_user_admin() or is_owner(dashboard, g.user) or (dashboard.published and has_rbac_access)) if not can_access: raise DashboardAccessDeniedError()