def test_returns_true_for_existing_permission(self):
query = self.factory.create_query()
other_user = self.factory.create_user()
AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user)
rv = self.make_request("get", "/api/queries/{}/acl/{}".format(query.id, ACCESS_TYPE_MODIFY), user=other_user)
self.assertEqual(rv.status_code, 200)
self.assertEqual(True, rv.json["response"])
def test_returns_existing_object_if_exists(self):
q = self.factory.create_query()
permission1 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
permission2 = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(permission1.id, permission2.id)
def test_deletes_all_permissions_if_no_type_given(self):
q = self.factory.create_query()
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(2, AccessPermission.revoke(q, self.factory.user))
def test_returns_permissions(self):
query = self.factory.create_query()
user = self.factory.user
AccessPermission.grant(
obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=self.factory.user
)
rv = self.make_request("get", "/api/queries/{}/acl".format(query.id), user=user)
self.assertEqual(rv.status_code, 200)
self.assertIn("modify", rv.json)
self.assertEqual(user.id, rv.json["modify"][0]["id"])
def test_removes_permission(self):
query = self.factory.create_query()
user = self.factory.user
other_user = self.factory.create_user()
data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id}
AccessPermission.grant(obj=query, access_type=ACCESS_TYPE_MODIFY, grantor=self.factory.user, grantee=other_user)
rv = self.make_request("delete", "/api/queries/{}/acl".format(query.id), user=user, data=data)
self.assertEqual(rv.status_code, 200)
self.assertFalse(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def post(self, object_type, object_id):
model = get_model_from_type(object_type)
obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)
require_admin_or_owner(obj.user_id)
req = request.get_json(True)
access_type = req['access_type']
if access_type not in ACCESS_TYPES:
abort(400, message='Unknown access type.')
try:
grantee = User.get_by_id_and_org(req['user_id'], self.current_org)
except User.DoesNotExist:
abort(400, message='User not found.')
permission = AccessPermission.grant(obj, access_type, grantee, self.current_user)
self.record_event({
'action': 'grant_permission',
'object_id': object_id,
'object_type': object_type,
'access_type': access_type,
'grantee': grantee.id
})
return permission.to_dict()
def test_works_for_non_owner_with_permission(self):
d = self.factory.create_dashboard()
user = self.factory.create_user()
new_name = 'New Name'
rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id),
data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user)
self.assertEqual(rv.status_code, 403)
AccessPermission.grant(obj=d, access_type=ACCESS_TYPE_MODIFY, grantee=user, grantor=d.user)
rv = self.make_request('post', '/api/dashboards/{0}'.format(d.id),
data={'name': new_name, 'layout': '[]', 'version': d.version}, user=user)
self.assertEqual(rv.status_code, 200)
self.assertEqual(rv.json['name'], new_name)
def get(self, object_type, object_id, access_type):
model = get_model_from_type(object_type)
obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)
has_access = AccessPermission.exists(obj, access_type, self.current_user)
return {'response': has_access}
def test_creates_permission_if_the_user_is_an_owner(self):
query = self.factory.create_query()
other_user = self.factory.create_user()
data = {"access_type": ACCESS_TYPE_MODIFY, "user_id": other_user.id}
rv = self.make_request("post", "/api/queries/{}/acl".format(query.id), user=query.user, data=data)
self.assertEqual(200, rv.status_code)
self.assertTrue(AccessPermission.exists(query, ACCESS_TYPE_MODIFY, other_user))
def test_creates_correct_object(self):
q = self.factory.create_query()
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(permission.object, q)
self.assertEqual(permission.grantor, self.factory.user)
self.assertEqual(permission.grantee, self.factory.user)
self.assertEqual(permission.access_type, ACCESS_TYPE_MODIFY)
def delete(self, object_type, object_id):
model = get_model_from_type(object_type)
obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)
require_admin_or_owner(obj.user_id)
req = request.get_json(True)
grantee = req['user_id']
access_type = req['access_type']
AccessPermission.revoke(obj, grantee, access_type)
self.record_event({
'action': 'revoke_permission',
'object_id': object_id,
'object_type': object_type,
'access_type': access_type,
'grantee': grantee
})
def get(self, object_type, object_id):
model = get_model_from_type(object_type)
obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org)
# TODO: include grantees in search to avoid N+1 queries
permissions = AccessPermission.find(obj)
result = defaultdict(list)
for perm in permissions:
result[perm.access_type].append(perm.grantee.to_dict())
return result
def test_deletes_permission_for_only_given_grantee_on_given_grant_type(self):
q = self.factory.create_query()
first_user = self.factory.create_user()
second_user = self.factory.create_user()
AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=first_user)
AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=second_user)
AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_VIEW,
grantor=self.factory.user,
grantee=second_user)
self.assertEqual(1, AccessPermission.revoke(q, second_user, ACCESS_TYPE_VIEW))
from __future__ import print_function
from redash.models import db, Change, AccessPermission, Query, Dashboard
from playhouse.migrate import PostgresqlMigrator, migrate
if __name__ == '__main__':
if not Change.table_exists():
Change.create_table()
if not AccessPermission.table_exists():
AccessPermission.create_table()
migrator = PostgresqlMigrator(db.database)
try:
migrate(
migrator.add_column('queries', 'version', Query.version),
migrator.add_column('dashboards', 'version', Dashboard.version)
)
except Exception as ex:
print("Error while adding version column to queries/dashboards. Maybe it already exists?")
print(ex)
def test_deletes_nothing_when_no_permission_exists(self):
q = self.factory.create_query()
self.assertEqual(0, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
def test_deletes_permission(self):
q = self.factory.create_query()
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
def test_deletes_permission(self):
q = self.factory.create_query()
permission = AccessPermission.grant(obj=q, access_type=ACCESS_TYPE_MODIFY,
grantor=self.factory.user,
grantee=self.factory.user)
self.assertEqual(1, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
def test_deletes_nothing_when_no_permission_exists(self):
q = self.factory.create_query()
self.assertEqual(0, AccessPermission.revoke(q, self.factory.user, ACCESS_TYPE_MODIFY))
from __future__ import print_function
from redash.models import db, Change, AccessPermission, Query, Dashboard
from playhouse.migrate import PostgresqlMigrator, migrate
if __name__ == '__main__':
if not Change.table_exists():
Change.create_table()
if not AccessPermission.table_exists():
AccessPermission.create_table()
migrator = PostgresqlMigrator(db.database)
try:
migrate(
migrator.add_column('queries', 'version', Query.version),
migrator.add_column('dashboards', 'version', Dashboard.version))
except Exception as ex:
print(
"Error while adding version column to queries/dashboards. Maybe it already exists?"
)
print(ex)