You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by dp...@apache.org on 2020/01/26 12:16:13 UTC
[incubator-superset] branch master updated: [log] fix,
log model view permissions (#8993)
This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git
The following commit(s) were added to refs/heads/master by this push:
new 1f21bf8 [log] fix, log model view permissions (#8993)
1f21bf8 is described below
commit 1f21bf877fbe878a5ec3e6476ae63ea1a2e82441
Author: Daniel Vaz Gaspar <da...@gmail.com>
AuthorDate: Sun Jan 26 12:15:57 2020 +0000
[log] fix, log model view permissions (#8993)
Limit MVC access to admin role only and limit REST API permissions
---
superset/security/manager.py | 1 +
superset/views/log/api.py | 2 +-
tests/log_api_tests.py | 130 +++++++++++++++++++++++++++++++++++++++++++
tests/security_tests.py | 13 +++--
4 files changed, 141 insertions(+), 5 deletions(-)
diff --git a/superset/security/manager.py b/superset/security/manager.py
index f1b69d1..4a3394d 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -115,6 +115,7 @@ class SupersetSecurityManager(SecurityManager):
"Refresh Druid Metadata",
"ResetPasswordView",
"RoleModelView",
+ "LogModelView",
"Security",
} | USER_MODEL_VIEWS
diff --git a/superset/views/log/api.py b/superset/views/log/api.py
index cc9424e..d579eb0 100644
--- a/superset/views/log/api.py
+++ b/superset/views/log/api.py
@@ -24,7 +24,7 @@ from . import LogMixin
class LogRestApi(LogMixin, BaseSupersetModelRestApi):
datamodel = SQLAInterface(models.Log)
-
+ include_route_methods = {"get_list", "get", "post"}
class_permission_name = "LogModelView"
resource_name = "log"
allow_browser_login = True
diff --git a/tests/log_api_tests.py b/tests/log_api_tests.py
new file mode 100644
index 0000000..86ee173
--- /dev/null
+++ b/tests/log_api_tests.py
@@ -0,0 +1,130 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""Unit tests for Superset"""
+import json
+from typing import Optional
+
+import prison
+from flask_appbuilder.security.sqla.models import User
+
+from superset import db
+from superset.models.core import Log
+
+from .base_tests import SupersetTestCase
+
+
+class LogApiTests(SupersetTestCase):
+ def insert_log(
+ self,
+ action: str,
+ user: "User",
+ dashboard_id: Optional[int] = 0,
+ slice_id: Optional[int] = 0,
+ json: Optional[str] = "",
+ duration_ms: Optional[int] = 0,
+ ):
+ log = Log(
+ action=action,
+ user=user,
+ dashboard_id=dashboard_id,
+ slice_id=slice_id,
+ json=json,
+ duration_ms=duration_ms,
+ )
+ db.session.add(log)
+ db.session.commit()
+ return log
+
+ def test_get_list(self):
+ """
+ Log API: Test get list
+ """
+ admin_user = self.get_user("admin")
+ log = self.insert_log("some_action", admin_user)
+ self.login(username="admin")
+ arguments = {"filters": [{"col": "action", "opr": "sw", "value": "some_"}]}
+ uri = f"api/v1/log/?q={prison.dumps(arguments)}"
+ rv = self.client.get(uri)
+ self.assertEqual(rv.status_code, 200)
+ response = json.loads(rv.data.decode("utf-8"))
+ expected_columns = ["action", "dttm", "user"]
+ self.assertEqual(list(response["result"][0].keys()), expected_columns)
+ self.assertEqual(response["result"][0]["action"], "some_action")
+ self.assertEqual(response["result"][0]["user"], {"username": "admin"})
+ db.session.delete(log)
+ db.session.commit()
+
+ def test_get_list_not_allowed(self):
+ """
+ Log API: Test get list
+ """
+ admin_user = self.get_user("admin")
+ log = self.insert_log("action", admin_user)
+ self.login(username="gamma")
+ uri = "api/v1/log/"
+ rv = self.client.get(uri)
+ self.assertEqual(rv.status_code, 401)
+ self.login(username="alpha")
+ rv = self.client.get(uri)
+ self.assertEqual(rv.status_code, 401)
+
+ def test_get_item(self):
+ """
+ Log API: Test get item
+ """
+ admin_user = self.get_user("admin")
+ log = self.insert_log("some_action", admin_user)
+ self.login(username="admin")
+ uri = f"api/v1/log/{log.id}"
+ rv = self.client.get(uri)
+ self.assertEqual(rv.status_code, 200)
+ response = json.loads(rv.data.decode("utf-8"))
+
+ expected_columns = ["action", "dttm", "user"]
+ self.assertEqual(list(response["result"].keys()), expected_columns)
+ self.assertEqual(response["result"]["action"], "some_action")
+ self.assertEqual(response["result"]["user"], {"username": "admin"})
+ db.session.delete(log)
+ db.session.commit()
+
+ def test_delete_log(self):
+ """
+ Log API: Test delete (does not exist)
+ """
+ admin_user = self.get_user("admin")
+ log = self.insert_log("action", admin_user)
+ self.login(username="admin")
+ uri = f"api/v1/log/{log.id}"
+ rv = self.client.delete(uri)
+ self.assertEqual(rv.status_code, 405)
+ db.session.delete(log)
+ db.session.commit()
+
+ def test_update_log(self):
+ """
+ Log API: Test update (does not exist)
+ """
+ admin_user = self.get_user("admin")
+ log = self.insert_log("action", admin_user)
+ self.login(username="admin")
+
+ log_data = {"action": "some_action"}
+ uri = f"api/v1/log/{log.id}"
+ rv = self.client.put(uri, json=log_data)
+ self.assertEqual(rv.status_code, 405)
+ db.session.delete(log)
+ db.session.commit()
diff --git a/tests/security_tests.py b/tests/security_tests.py
index f16f411..864d28e 100644
--- a/tests/security_tests.py
+++ b/tests/security_tests.py
@@ -579,11 +579,16 @@ class RolePermissionTests(SupersetTestCase):
)
)
- self.assertTrue(
- security_manager._is_admin_only(
- security_manager.find_permission_view_menu("can_delete", "DatabaseView")
+ log_permissions = ["can_list", "can_show"]
+ for log_permission in log_permissions:
+ self.assertTrue(
+ security_manager._is_admin_only(
+ security_manager.find_permission_view_menu(
+ log_permission, "LogModelView"
+ )
+ )
)
- )
+
if app.config["ENABLE_ACCESS_REQUEST"]:
self.assertTrue(
security_manager._is_admin_only(