You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2018/09/12 08:53:28 UTC

[GitHub] datinho closed pull request #5845: Added dashboard only Rho role

datinho closed pull request #5845: Added dashboard only Rho role
URL: https://github.com/apache/incubator-superset/pull/5845
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/docs/security.rst b/docs/security.rst
index b6a2b1016c..44081bf4a8 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -45,6 +45,15 @@ mostly content consumers, though they can create slices and dashboards.
 Also note that when Gamma users look at the dashboards and slices list view,
 they will only see the objects that they have access to.
 
+Rho
+"""
+Rho have read only access to dashboards. They cannot view anything else
+like tables or slices, is targered for users that access to data as a
+cockpit.
+
+As Gamma role the Rho users look at the dashboards, they will only see
+the objects that they have access to.
+
 sql_lab
 """""""
 The ``sql_lab`` role grants access to SQL Lab. Note that while ``Admin``
diff --git a/superset/config.py b/superset/config.py
index a5e4f2988c..ba4ae40470 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -351,7 +351,7 @@ class CeleryConfig(object):
 
 # Roles that are controlled by the API / Superset and should not be changes
 # by humans.
-ROBOT_PERMISSION_ROLES = ['Public', 'Gamma', 'Alpha', 'Admin', 'sql_lab']
+ROBOT_PERMISSION_ROLES = ['Public', 'Rho', 'Gamma', 'Alpha', 'Admin', 'sql_lab']
 
 CONFIG_PATH_ENV_VAR = 'SUPERSET_CONFIG_PATH'
 
diff --git a/superset/security.py b/superset/security.py
index 8ea8c04d09..ede9dead8d 100644
--- a/superset/security.py
+++ b/superset/security.py
@@ -22,6 +22,10 @@
     'DruidClusterModelView',
 }
 
+RHO_READ_ONLY_MODEL_VIEWS = {
+    'DashboardModelView',
+} | READ_ONLY_MODEL_VIEWS
+
 GAMMA_READ_ONLY_MODEL_VIEWS = {
     'SqlMetricInlineView',
     'TableColumnInlineView',
@@ -51,6 +55,11 @@
     'Upload a CSV',
 }
 
+GAMMA_ONLY_VIEW_MENUS = {
+    'Charts',
+    'Sources',
+}
+
 ADMIN_ONLY_PERMISSIONS = {
     'all_database_access',
     'can_sql_json',  # TODO: move can_sql_json to sql_lab role
@@ -71,6 +80,15 @@
     'all_datasource_access',
 ])
 
+GAMMA_ONLY_PERMISSIONS = set([
+    'can_add',
+    'can_add_slices',
+    'can_delete',
+    'can_edit',
+    'can_explore',
+    'can_show',
+])
+
 OBJECT_SPEC_PERMISSIONS = set([
     'database_access',
     'schema_access',
@@ -317,6 +335,7 @@ def sync_role_definitions(self):
         self.set_role('Admin', self.is_admin_pvm)
         self.set_role('Alpha', self.is_alpha_pvm)
         self.set_role('Gamma', self.is_gamma_pvm)
+        self.set_role('Rho', self.is_rho_pvm)
         self.set_role('granter', self.is_granter_pvm)
         self.set_role('sql_lab', self.is_sql_lab_pvm)
 
@@ -359,6 +378,15 @@ def is_alpha_only(self, pvm):
             pvm.permission.name in ALPHA_ONLY_PERMISSIONS
         )
 
+    def is_gamma_only(self, pvm):
+        if (pvm.view_menu.name in RHO_READ_ONLY_MODEL_VIEWS and
+                pvm.permission.name not in READ_ONLY_PERMISSION):
+            return True
+        return (
+            pvm.view_menu.name in GAMMA_ONLY_VIEW_MENUS or
+            pvm.permission.name in GAMMA_ONLY_PERMISSIONS
+        )
+
     def is_admin_pvm(self, pvm):
         return not self.is_user_defined_permission(pvm)
 
@@ -369,6 +397,10 @@ def is_gamma_pvm(self, pvm):
         return not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm) or
                     self.is_alpha_only(pvm))
 
+    def is_rho_pvm(self, pvm):
+        return not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm) or
+                    self.is_alpha_only(pvm) or self.is_gamma_only(pvm))
+
     def is_sql_lab_pvm(self, pvm):
         return (
             pvm.view_menu.name in {


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org