def test_returns_true_for_existing_permission(self): query = self.factory.create_query() other_user = self.factory.create_user() AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user) rv = self.make_request("get", "/api/queries/{}/acl/{}".format(query.id, ACCESS_TYPE_MODIFY), user=other_user) self.assertEqual(rv.status_code, 200) self.assertEqual(True, rv.json["response"])
def test_returns_existing_object_if_exists(self): q = self.factory.create_query() permission1 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) permission2 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(permission1.id, permission2.id)
def test_deletes_all_permissions_if_no_type_given(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(2, AccessPermission.revoke(q, self.factory.user))
def test_returns_permissions(self): query = self.factory.create_query() user = self.factory.user AccessPermission.grant( obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user ) rv = self.make_request("get", "/api/queries/{}/acl".format(query.id), user=user) self.assertEqual(rv.status_code, 200) self.assertIn("modify", rv.json) self.assertEqual(user.id, rv.json["modify"][0]["id"])
def test_removes_permission(self): query = self.factory.create_query() user = self.factory.user other_user = self.factory.create_user() data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id} AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user) rv = self.make_request("delete", "/api/queries/{}/acl".format(query.id), user=user, data=data) self.assertEqual(rv.status_code, 200) self.assertFalse(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def post(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) access_type = req['access_type'] if access_type not in ACCESS_TYPES: abort(400, message='Unknown access type.') try: grantee = User.get_by_id_and_org(req['user_id'], self.current_org) except User.DoesNotExist: abort(400, message='User not found.') permission = AccessPermission.grant(obj, access_type, grantee, self.current_user) self.record_event({ 'action': 'grant_permission', 'object_id': object_id, 'object_type': object_type, 'access_type': access_type, 'grantee': grantee.id }) return permission.to_dict()
def test_works_for_non_owner_with_permission(self): d = self.factory.create_dashboard() user = self.factory.create_user() new_name = 'New Name' rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id), data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user) self.assertEqual(rv.status_code, 403) AccessPermission.grant(obj=d, access_type=ACCESS_TYPE_MODIFY, grantee=user, grantor=d.user) rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id), data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user) self.assertEqual(rv.status_code, 200) self.assertEqual(rv.json['name'], new_name)
def get(self, object_type, object_id, access_type): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) has_access = AccessPermission.exists(obj, access_type, self.current_user) return {'response': has_access}
def test_creates_permission_if_the_user_is_an_owner(self): query = self.factory.create_query() other_user = self.factory.create_user() data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id} rv = self.make_request("post", "/api/queries/{}/acl".format(query.id), user=query.user, data=data) self.assertEqual(200, rv.status_code) self.assertTrue(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def test_creates_correct_object(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(permission.object, q) self.assertEqual(permission.grantor, self.factory.user) self.assertEqual(permission.grantee, self.factory.user) self.assertEqual(permission.access_type, ACCESS_TYPE_MODIFY)
def delete(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) grantee = req['user_id'] access_type = req['access_type'] AccessPermission.revoke(obj, grantee, access_type) self.record_event({ 'action': 'revoke_permission', 'object_id': object_id, 'object_type': object_type, 'access_type': access_type, 'grantee': grantee })
def get(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) # TODO: include grantees in search to avoid N+1 queries permissions = AccessPermission.find(obj) result = defaultdict(list) for perm in permissions: result[perm.access_type].append(perm.grantee.to_dict()) return result
def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self): q = self.factory.create_query() first_user = self.factory.create_user() second_user = self.factory.create_user() AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=first_user) AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=second_user) AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW, grantor=self.factory.user, grantee=second_user) self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
from __future__ import print_function from redash.models import db, Change, AccessPermission, Query, Dashboard from playhouse.migrate import PostgresqlMigrator, migrate if __name__ == '__main__': if not Change.table_exists(): Change.create_table() if not AccessPermission.table_exists(): AccessPermission.create_table() migrator = PostgresqlMigrator(db.database) try: migrate( migrator.add_column('queries', 'version', Query.version), migrator.add_column('dashboards', 'version', Dashboard.version) ) except Exception as ex: print("Error while adding version column to queries/dashboards. Maybe it already exists?") print(ex)
def test_deletes_nothing_when_no_permission_exists(self): q = self.factory.create_query() self.assertEqual(0, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
def test_deletes_permission(self): q = self.factory.create_query() permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user) self.assertEqual(1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
from __future__ import print_function from redash.models import db, Change, AccessPermission, Query, Dashboard from playhouse.migrate import PostgresqlMigrator, migrate if __name__ == '__main__': if not Change.table_exists(): Change.create_table() if not AccessPermission.table_exists(): AccessPermission.create_table() migrator = PostgresqlMigrator(db.database) try: migrate( migrator.add_column('queries', 'version', Query.version), migrator.add_column('dashboards', 'version', Dashboard.version)) except Exception as ex: print( "Error while adding version column to queries/dashboards. Maybe it already exists?" ) print(ex)