You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by "john-bodley (via GitHub)" <gi...@apache.org> on 2023/06/10 03:53:56 UTC
[GitHub] [superset] john-bodley commented on a diff in pull request #24350: fix: Address dashboard permission regression in #23586
john-bodley commented on code in PR #24350:
URL: https://github.com/apache/superset/pull/24350#discussion_r1225026280
##########
superset/views/core.py:
##########
@@ -1641,76 +1648,54 @@ def favstar( # pylint: disable=no-self-use
@has_access
@expose("/dashboard/<dashboard_id_or_slug>/")
@event_logger.log_this_with_extra_payload
- @check_dashboard_access(
- on_error=lambda msg: redirect_with_flash(DASHBOARD_LIST_URL, msg, "danger")
- )
def dashboard(
self,
- dashboard_id_or_slug: str, # pylint: disable=unused-argument
+ dashboard_id_or_slug: str,
add_extra_log_payload: Callable[..., None] = lambda **kwargs: None,
- dashboard: Dashboard | None = None,
) -> FlaskResponse:
"""
- Server side rendering for a dashboard
- :param dashboard_id_or_slug: identifier for dashboard. used in the decorators
+ Server side rendering for a dashboard.
+
+ :param dashboard_id_or_slug: identifier for dashboard
:param add_extra_log_payload: added by `log_this_with_manual_updates`, set a
default value to appease pylint
- :param dashboard: added by `check_dashboard_access`
"""
- if not dashboard:
- abort(404)
- assert dashboard is not None
-
- has_access_ = False
- for datasource in dashboard.datasources:
- datasource = DatasourceDAO.get_datasource(
- datasource_type=DatasourceType(datasource.type),
- datasource_id=datasource.id,
- session=db.session(),
+ try:
+ dashboard = DashboardDAO.get_by_id_or_slug(dashboard_id_or_slug)
+ except DashboardNotFoundError:
+ abort(404)
+ except DashboardAccessDeniedError as ex:
+ return redirect_with_flash(
+ url="/dashboard/list/",
+ message=utils.error_msg_from_exception(ex),
+ category="danger",
)
- if datasource and security_manager.can_access_datasource(
- datasource=datasource,
- ):
- has_access_ = True
-
- if has_access_:
- break
-
- if dashboard.datasources and not has_access_:
- flash(DashboardAccessDeniedError.message, "danger")
- return redirect(DASHBOARD_LIST_URL)
-
- dash_edit_perm = security_manager.is_owner(
- dashboard
- ) and security_manager.can_access("can_save_dash", "Superset")
- edit_mode = (
- request.args.get(utils.ReservedUrlParameters.EDIT_MODE.value) == "true"
- )
-
- standalone_mode = ReservedUrlParameters.is_standalone_mode()
add_extra_log_payload(
dashboard_id=dashboard.id,
dashboard_version="v2",
- dash_edit_perm=dash_edit_perm,
- edit_mode=edit_mode,
+ dash_edit_perm=(
Review Comment:
Inlined logic from above to improve readability.
##########
superset/utils/decorators.py:
##########
@@ -114,27 +111,3 @@ def wrapped(*args: Any, **kwargs: Any) -> Any:
def on_security_exception(self: Any, ex: Exception) -> Response:
return self.response(403, **{"message": utils.error_msg_from_exception(ex)})
-
-
-# noinspection PyPackageRequirements
Review Comment:
This decorator seemed superfluous as said logic could be handled elsewhere.
##########
superset/security/manager.py:
##########
@@ -1995,38 +2010,40 @@ def raise_for_user_activity_access(user_id: int) -> None:
def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
- This does not check for the required role/permission pairs,
- it only concerns itself with entity relationships.
+
+ This does not check for the required role/permission pairs, it only concerns
+ itself with entity relationships.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
+
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
- def has_rbac_access() -> bool:
- if not is_feature_enabled("DASHBOARD_RBAC") or not dashboard.roles:
Review Comment:
This was a tad hard to digest, but it essence is checking if RBAC is _disabled_. A more digestible form (used below) to check if RBAC is _enabled_ is,
```python
if is_feature_enabled("DASHBOARD_RBAC") and dashboard.roles:
...
```
##########
superset/views/core.py:
##########
@@ -1641,76 +1648,54 @@ def favstar( # pylint: disable=no-self-use
@has_access
@expose("/dashboard/<dashboard_id_or_slug>/")
@event_logger.log_this_with_extra_payload
- @check_dashboard_access(
- on_error=lambda msg: redirect_with_flash(DASHBOARD_LIST_URL, msg, "danger")
- )
def dashboard(
self,
- dashboard_id_or_slug: str, # pylint: disable=unused-argument
+ dashboard_id_or_slug: str,
add_extra_log_payload: Callable[..., None] = lambda **kwargs: None,
- dashboard: Dashboard | None = None,
) -> FlaskResponse:
"""
- Server side rendering for a dashboard
- :param dashboard_id_or_slug: identifier for dashboard. used in the decorators
+ Server side rendering for a dashboard.
+
+ :param dashboard_id_or_slug: identifier for dashboard
:param add_extra_log_payload: added by `log_this_with_manual_updates`, set a
default value to appease pylint
- :param dashboard: added by `check_dashboard_access`
"""
- if not dashboard:
- abort(404)
- assert dashboard is not None
-
- has_access_ = False
- for datasource in dashboard.datasources:
- datasource = DatasourceDAO.get_datasource(
- datasource_type=DatasourceType(datasource.type),
- datasource_id=datasource.id,
- session=db.session(),
+ try:
+ dashboard = DashboardDAO.get_by_id_or_slug(dashboard_id_or_slug)
+ except DashboardNotFoundError:
+ abort(404)
+ except DashboardAccessDeniedError as ex:
+ return redirect_with_flash(
+ url="/dashboard/list/",
+ message=utils.error_msg_from_exception(ex),
+ category="danger",
)
- if datasource and security_manager.can_access_datasource(
- datasource=datasource,
- ):
- has_access_ = True
-
- if has_access_:
- break
-
- if dashboard.datasources and not has_access_:
- flash(DashboardAccessDeniedError.message, "danger")
- return redirect(DASHBOARD_LIST_URL)
-
- dash_edit_perm = security_manager.is_owner(
- dashboard
- ) and security_manager.can_access("can_save_dash", "Superset")
- edit_mode = (
- request.args.get(utils.ReservedUrlParameters.EDIT_MODE.value) == "true"
- )
-
- standalone_mode = ReservedUrlParameters.is_standalone_mode()
add_extra_log_payload(
dashboard_id=dashboard.id,
dashboard_version="v2",
- dash_edit_perm=dash_edit_perm,
- edit_mode=edit_mode,
+ dash_edit_perm=(
+ security_manager.is_owner(dashboard)
+ and security_manager.can_access("can_save_dash", "Superset")
+ ),
+ edit_mode=(
+ request.args.get(ReservedUrlParameters.EDIT_MODE.value) == "true"
+ ),
)
- bootstrap_data = {
- "user": bootstrap_user_data(g.user, include_perms=True),
- "common": common_bootstrap_payload(g.user),
- }
-
return self.render_template(
"superset/spa.html",
entry="spa",
- # dashboard title is always visible
- title=dashboard.dashboard_title,
+ title=dashboard.dashboard_title, # dashboard title is always visible
bootstrap_data=json.dumps(
- bootstrap_data, default=utils.pessimistic_json_iso_dttm_ser
+ {
Review Comment:
Inlined logic from above.
##########
superset/security/manager.py:
##########
@@ -1995,38 +2010,40 @@ def raise_for_user_activity_access(user_id: int) -> None:
def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
- This does not check for the required role/permission pairs,
- it only concerns itself with entity relationships.
+
+ This does not check for the required role/permission pairs, it only concerns
+ itself with entity relationships.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
+
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
- def has_rbac_access() -> bool:
Review Comment:
This logic has been inlined below.
##########
superset/security/manager.py:
##########
@@ -1995,38 +2010,40 @@ def raise_for_user_activity_access(user_id: int) -> None:
def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
- This does not check for the required role/permission pairs,
- it only concerns itself with entity relationships.
+
+ This does not check for the required role/permission pairs, it only concerns
+ itself with entity relationships.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
+
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
- def has_rbac_access() -> bool:
- if not is_feature_enabled("DASHBOARD_RBAC") or not dashboard.roles:
- return True
-
- return any(
- dashboard_role.id
- in [user_role.id for user_role in self.get_user_roles()]
- for dashboard_role in dashboard.roles
- )
-
if self.is_guest_user() and dashboard.embedded:
- can_access = self.has_guest_access(dashboard)
+ if self.has_guest_access(dashboard):
+ return
else:
- can_access = (
- self.is_admin()
- or self.is_owner(dashboard)
- or (dashboard.published and has_rbac_access())
Review Comment:
I'm struggling to grok how/why the published state alters things. Note the challenge is logic outlined here isn't the entire corpus of rules from an access standpoint given that the view also had additional (potentially conflicting) logic based on whether the user had access to the underlying datasets.
For now I've actually left out the published state. Personally I feel the access rubric is already quite complex and rather difficult to grok as it pertains to embedded dashboards and the like. Additionally I'm not sure I agree with the logic with regards to RBAC when no roles are defined. Personally this feels like one shouldn't strictly have access as opposed to falling back to the legacy logic. Do dashboard owners et al. grok how this works?
##########
superset/security/manager.py:
##########
@@ -1995,38 +2010,40 @@ def raise_for_user_activity_access(user_id: int) -> None:
def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
- This does not check for the required role/permission pairs,
- it only concerns itself with entity relationships.
+
+ This does not check for the required role/permission pairs, it only concerns
+ itself with entity relationships.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
+
# pylint: disable=import-outside-toplevel
from superset import is_feature_enabled
from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
- def has_rbac_access() -> bool:
- if not is_feature_enabled("DASHBOARD_RBAC") or not dashboard.roles:
- return True
-
- return any(
- dashboard_role.id
- in [user_role.id for user_role in self.get_user_roles()]
- for dashboard_role in dashboard.roles
- )
-
if self.is_guest_user() and dashboard.embedded:
- can_access = self.has_guest_access(dashboard)
+ if self.has_guest_access(dashboard):
+ return
else:
- can_access = (
- self.is_admin()
- or self.is_owner(dashboard)
- or (dashboard.published and has_rbac_access())
- or (not dashboard.published and not dashboard.roles)
- )
+ if self.is_admin() or self.is_owner(dashboard):
+ return
+
+ # RBAC and legacy (datasource inferred) access controls.
Review Comment:
The TL;DR is this check now includes logic for the legacy access controls which were based (for right or wrong) around the notion that a user has access to the dashboard if they can access at least one of the underlying datasets which backs the dashboard. Said logic previously resided in the dashboard view.
##########
superset/views/core.py:
##########
@@ -1641,76 +1648,54 @@ def favstar( # pylint: disable=no-self-use
@has_access
@expose("/dashboard/<dashboard_id_or_slug>/")
@event_logger.log_this_with_extra_payload
- @check_dashboard_access(
- on_error=lambda msg: redirect_with_flash(DASHBOARD_LIST_URL, msg, "danger")
- )
def dashboard(
self,
- dashboard_id_or_slug: str, # pylint: disable=unused-argument
+ dashboard_id_or_slug: str,
add_extra_log_payload: Callable[..., None] = lambda **kwargs: None,
- dashboard: Dashboard | None = None,
) -> FlaskResponse:
"""
- Server side rendering for a dashboard
- :param dashboard_id_or_slug: identifier for dashboard. used in the decorators
+ Server side rendering for a dashboard.
+
+ :param dashboard_id_or_slug: identifier for dashboard
:param add_extra_log_payload: added by `log_this_with_manual_updates`, set a
default value to appease pylint
- :param dashboard: added by `check_dashboard_access`
"""
- if not dashboard:
- abort(404)
- assert dashboard is not None
-
- has_access_ = False
- for datasource in dashboard.datasources:
- datasource = DatasourceDAO.get_datasource(
- datasource_type=DatasourceType(datasource.type),
- datasource_id=datasource.id,
- session=db.session(),
+ try:
+ dashboard = DashboardDAO.get_by_id_or_slug(dashboard_id_or_slug)
+ except DashboardNotFoundError:
+ abort(404)
+ except DashboardAccessDeniedError as ex:
+ return redirect_with_flash(
+ url="/dashboard/list/",
+ message=utils.error_msg_from_exception(ex),
+ category="danger",
)
- if datasource and security_manager.can_access_datasource(
- datasource=datasource,
- ):
- has_access_ = True
-
- if has_access_:
- break
-
- if dashboard.datasources and not has_access_:
- flash(DashboardAccessDeniedError.message, "danger")
- return redirect(DASHBOARD_LIST_URL)
-
- dash_edit_perm = security_manager.is_owner(
- dashboard
- ) and security_manager.can_access("can_save_dash", "Superset")
- edit_mode = (
- request.args.get(utils.ReservedUrlParameters.EDIT_MODE.value) == "true"
- )
-
- standalone_mode = ReservedUrlParameters.is_standalone_mode()
add_extra_log_payload(
dashboard_id=dashboard.id,
dashboard_version="v2",
- dash_edit_perm=dash_edit_perm,
- edit_mode=edit_mode,
+ dash_edit_perm=(
+ security_manager.is_owner(dashboard)
+ and security_manager.can_access("can_save_dash", "Superset")
+ ),
+ edit_mode=(
Review Comment:
Inlined logic from above.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org