You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/01/13 09:10:07 UTC

[GitHub] [superset] BinRoq commented on issue #17914: [SIP] Proposal for controlling View Only access to Dashboards

BinRoq commented on issue #17914:
URL: https://github.com/apache/superset/issues/17914#issuecomment-1011937745


       @has_access
       @expose("/dashboard/<dashboard_id>/")
       def dashboard(self, dashboard_id):
           """Server side rendering for a dashboard"""
   
           def check_owner_or_viewer(obj):
           #See if current user has either owner or viewer permission
   
               if not obj:
                   return False
   
               if g.user.is_anonymous:
                   return False
   
               roles = [r.name for r in get_user_roles()]
               if "Admin" in roles:
                   return True
   
               owners = []
               owners += obj.owners
   
               owners += obj.viewers
   
               owner_names = [o.username for o in owners if o]
   
   
               if g.user and hasattr(g.user, "username") and g.user.username in owner_names:
                   return True
   
   
   
               return False
   
   
           session = db.session()
           qry = session.query(models.Dashboard)
           if dashboard_id.isdigit():
               qry = qry.filter_by(id=int(dashboard_id))
           else:
               qry = qry.filter_by(slug=dashboard_id)
   
           dash = qry.one_or_none()
           if not dash:
               abort(404)
   
   
           if check_owner_or_viewer( dash ) == False:
               bootstrap_data = {
                   "user_id": g.user.get_id(),
   
                   "user_name": g.user.username,
                   "user.first_name": g.user.first_name,
                   "user.last_name": g.user.last_name,
   
                   "dashboard_id": dash.id,
                   "dashboard_title": dash.dashboard_title,
                   "error": "Need either Owner or Viewer privilege to view this dashboard",
               }
   
   
               flash(__("You have no permission to view this dashboard"), "danger")
   
               return json_success(json.dumps(bootstrap_data))
   
   
   
   
           datasources = set()
           for slc in dash.slices:
               datasource = slc.datasource
               if datasource:
                   datasources.add(datasource)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org