示例#1
0
    def test_returns_true_for_existing_permission(self):
        query = self.factory.create_query()
        other_user = self.factory.create_user()

        AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user)

        rv = self.make_request("get", "/api/queries/{}/acl/{}".format(query.id, ACCESS_TYPE_MODIFY), user=other_user)

        self.assertEqual(rv.status_code, 200)
        self.assertEqual(True, rv.json["response"])
示例#2
0
    def test_returns_existing_object_if_exists(self):
        q = self.factory.create_query()
        permission1 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
                                            grantor=self.factory.user,
                                            grantee=self.factory.user)

        permission2 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
                                            grantor=self.factory.user,
                                            grantee=self.factory.user)

        self.assertEqual(permission1.id, permission2.id)
示例#3
0
    def test_deletes_all_permissions_if_no_type_given(self):
        q = self.factory.create_query()

        permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
                                            grantor=self.factory.user,
                                            grantee=self.factory.user)

        permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW,
                                            grantor=self.factory.user,
                                            grantee=self.factory.user)

        self.assertEqual(2, AccessPermission.revoke(q, self.factory.user))
示例#4
0
    def test_returns_permissions(self):
        query = self.factory.create_query()
        user = self.factory.user

        AccessPermission.grant(
            obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user
        )

        rv = self.make_request("get", "/api/queries/{}/acl".format(query.id), user=user)

        self.assertEqual(rv.status_code, 200)
        self.assertIn("modify", rv.json)
        self.assertEqual(user.id, rv.json["modify"][0]["id"])
示例#5
0
    def test_removes_permission(self):
        query = self.factory.create_query()
        user = self.factory.user
        other_user = self.factory.create_user()

        data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id}

        AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user)

        rv = self.make_request("delete", "/api/queries/{}/acl".format(query.id), user=user, data=data)

        self.assertEqual(rv.status_code, 200)

        self.assertFalse(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
示例#6
0
    def post(self, object_type, object_id):
        model = get_model_from_type(object_type)
        obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)

        require_admin_or_owner(obj.user_id)

        req = request.get_json(True)

        access_type = req['access_type']

        if access_type not in ACCESS_TYPES:
            abort(400, message='Unknown access type.')

        try:
            grantee = User.get_by_id_and_org(req['user_id'], self.current_org)
        except User.DoesNotExist:
            abort(400, message='User not found.')

        permission = AccessPermission.grant(obj, access_type, grantee, self.current_user)

        self.record_event({
            'action': 'grant_permission',
            'object_id': object_id,
            'object_type': object_type,
            'access_type': access_type,
            'grantee': grantee.id
        })

        return permission.to_dict()
示例#7
0
    def test_works_for_non_owner_with_permission(self):
        d = self.factory.create_dashboard()
        user = self.factory.create_user()

        new_name = 'New Name'
        rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id),
                               data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user)
        self.assertEqual(rv.status_code, 403)

        AccessPermission.grant(obj=d, access_type=ACCESS_TYPE_MODIFY, grantee=user, grantor=d.user)

        rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id),
                               data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user)

        self.assertEqual(rv.status_code, 200)
        self.assertEqual(rv.json['name'], new_name)
示例#8
0
    def get(self, object_type, object_id, access_type):
        model = get_model_from_type(object_type)
        obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)

        has_access = AccessPermission.exists(obj, access_type, self.current_user)

        return {'response': has_access}
示例#9
0
    def test_creates_permission_if_the_user_is_an_owner(self):
        query = self.factory.create_query()
        other_user = self.factory.create_user()

        data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id}

        rv = self.make_request("post", "/api/queries/{}/acl".format(query.id), user=query.user, data=data)

        self.assertEqual(200, rv.status_code)
        self.assertTrue(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
示例#10
0
    def test_creates_correct_object(self):
        q = self.factory.create_query()
        permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
                                            grantor=self.factory.user,
                                            grantee=self.factory.user)

        self.assertEqual(permission.object, q)
        self.assertEqual(permission.grantor, self.factory.user)
        self.assertEqual(permission.grantee, self.factory.user)
        self.assertEqual(permission.access_type, ACCESS_TYPE_MODIFY)
示例#11
0
    def delete(self, object_type, object_id):
        model = get_model_from_type(object_type)
        obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)

        require_admin_or_owner(obj.user_id)

        req = request.get_json(True)
        grantee = req['user_id']
        access_type = req['access_type']

        AccessPermission.revoke(obj, grantee, access_type)

        self.record_event({
            'action': 'revoke_permission',
            'object_id': object_id,
            'object_type': object_type,
            'access_type': access_type,
            'grantee': grantee
        })
示例#12
0
    def get(self, object_type, object_id):
        model = get_model_from_type(object_type)
        obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)

        # TODO: include grantees in search to avoid N+1 queries
        permissions = AccessPermission.find(obj)

        result = defaultdict(list)

        for perm in permissions:
            result[perm.access_type].append(perm.grantee.to_dict())

        return result
示例#13
0
    def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self):
        q = self.factory.create_query()
        first_user  = self.factory.create_user()
        second_user = self.factory.create_user()

        AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
                               grantor=self.factory.user,
                               grantee=first_user)

        AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
                               grantor=self.factory.user,
                               grantee=second_user)

        AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW,
                               grantor=self.factory.user,
                               grantee=second_user)

        self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
from __future__ import print_function
from redash.models import db, Change, AccessPermission, Query, Dashboard
from playhouse.migrate import PostgresqlMigrator, migrate

if __name__ == '__main__':

    if not Change.table_exists():
        Change.create_table()

    if not AccessPermission.table_exists():
        AccessPermission.create_table()

    migrator = PostgresqlMigrator(db.database)

    try:
        migrate(
            migrator.add_column('queries', 'version', Query.version),
            migrator.add_column('dashboards', 'version', Dashboard.version)
        )
    except Exception as ex:
        print("Error while adding version column to queries/dashboards. Maybe it already exists?")
        print(ex)

示例#15
0
 def test_deletes_nothing_when_no_permission_exists(self):
     q = self.factory.create_query()
     self.assertEqual(0, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
示例#16
0
 def test_deletes_permission(self):
     q = self.factory.create_query()
     permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
                                         grantor=self.factory.user,
                                         grantee=self.factory.user)
     self.assertEqual(1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
示例#17
0
 def test_deletes_permission(self):
     q = self.factory.create_query()
     permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
                                         grantor=self.factory.user,
                                         grantee=self.factory.user)
     self.assertEqual(1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
示例#18
0
 def test_deletes_nothing_when_no_permission_exists(self):
     q = self.factory.create_query()
     self.assertEqual(0, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
示例#19
0
from __future__ import print_function
from redash.models import db, Change, AccessPermission, Query, Dashboard
from playhouse.migrate import PostgresqlMigrator, migrate

if __name__ == '__main__':

    if not Change.table_exists():
        Change.create_table()

    if not AccessPermission.table_exists():
        AccessPermission.create_table()

    migrator = PostgresqlMigrator(db.database)

    try:
        migrate(
            migrator.add_column('queries', 'version', Query.version),
            migrator.add_column('dashboards', 'version', Dashboard.version))
    except Exception as ex:
        print(
            "Error while adding version column to queries/dashboards. Maybe it already exists?"
        )
        print(ex)