You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2018/08/22 18:15:24 UTC
[GitHub] john-bodley closed pull request #5684: [security] Moving set/merge
perm to security manager
john-bodley closed pull request #5684: [security] Moving set/merge perm to security manager
URL: https://github.com/apache/incubator-superset/pull/5684
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/superset/connectors/druid/models.py b/superset/connectors/druid/models.py
index 824d7c9ee4..7bb6a5e192 100644
--- a/superset/connectors/druid/models.py
+++ b/superset/connectors/druid/models.py
@@ -41,7 +41,7 @@
from superset.connectors.base.models import BaseColumn, BaseDatasource, BaseMetric
from superset.exceptions import MetricPermException, SupersetException
from superset.models.helpers import (
- AuditMixinNullable, ImportMixin, QueryResult, set_perm,
+ AuditMixinNullable, ImportMixin, QueryResult,
)
from superset.utils import (
DimSelector, DTTM_ALIAS, flasher,
@@ -1601,5 +1601,5 @@ def external_metadata(self):
]
-sa.event.listen(DruidDatasource, 'after_insert', set_perm)
-sa.event.listen(DruidDatasource, 'after_update', set_perm)
+sa.event.listen(DruidDatasource, 'after_insert', security_manager.set_perm)
+sa.event.listen(DruidDatasource, 'after_update', security_manager.set_perm)
diff --git a/superset/connectors/sqla/models.py b/superset/connectors/sqla/models.py
index 648bff44e8..44a2cfb1ca 100644
--- a/superset/connectors/sqla/models.py
+++ b/superset/connectors/sqla/models.py
@@ -29,7 +29,6 @@
from superset.models.annotations import Annotation
from superset.models.core import Database
from superset.models.helpers import QueryResult
-from superset.models.helpers import set_perm
from superset.utils import DTTM_ALIAS, QueryStatus
config = app.config
@@ -892,5 +891,5 @@ def default_query(qry):
return qry.filter_by(is_sqllab_view=False)
-sa.event.listen(SqlaTable, 'after_insert', set_perm)
-sa.event.listen(SqlaTable, 'after_update', set_perm)
+sa.event.listen(SqlaTable, 'after_insert', security_manager.set_perm)
+sa.event.listen(SqlaTable, 'after_update', security_manager.set_perm)
diff --git a/superset/models/core.py b/superset/models/core.py
index 50f657c8e3..9d9674c195 100644
--- a/superset/models/core.py
+++ b/superset/models/core.py
@@ -39,7 +39,7 @@
from superset import app, db, db_engine_specs, security_manager, utils
from superset.connectors.connector_registry import ConnectorRegistry
from superset.legacy import update_time_range
-from superset.models.helpers import AuditMixinNullable, ImportMixin, set_perm
+from superset.models.helpers import AuditMixinNullable, ImportMixin
from superset.models.user_attributes import UserAttribute
from superset.utils import MediumText
from superset.viz import viz_types
@@ -959,8 +959,8 @@ def get_dialect(self):
return sqla_url.get_dialect()()
-sqla.event.listen(Database, 'after_insert', set_perm)
-sqla.event.listen(Database, 'after_update', set_perm)
+sqla.event.listen(Database, 'after_insert', security_manager.set_perm)
+sqla.event.listen(Database, 'after_update', security_manager.set_perm)
class Log(Model):
diff --git a/superset/models/helpers.py b/superset/models/helpers.py
index 113ec39911..417a447dc1 100644
--- a/superset/models/helpers.py
+++ b/superset/models/helpers.py
@@ -21,7 +21,6 @@
from sqlalchemy.orm.exc import MultipleResultsFound
import yaml
-from superset import security_manager
from superset.utils import QueryStatus
@@ -312,53 +311,3 @@ def __init__( # noqa
self.duration = duration
self.status = status
self.error_message = error_message
-
-
-def merge_perm(sm, permission_name, view_menu_name, connection):
-
- permission = sm.find_permission(permission_name)
- view_menu = sm.find_view_menu(view_menu_name)
- pv = None
-
- if not permission:
- permission_table = sm.permission_model.__table__
- connection.execute(
- permission_table.insert()
- .values(name=permission_name),
- )
- if not view_menu:
- view_menu_table = sm.viewmenu_model.__table__
- connection.execute(
- view_menu_table.insert()
- .values(name=view_menu_name),
- )
-
- permission = sm.find_permission(permission_name)
- view_menu = sm.find_view_menu(view_menu_name)
-
- if permission and view_menu:
- pv = sm.get_session.query(sm.permissionview_model).filter_by(
- permission=permission, view_menu=view_menu).first()
- if not pv and permission and view_menu:
- permission_view_table = sm.permissionview_model.__table__
- connection.execute(
- permission_view_table.insert()
- .values(
- permission_id=permission.id,
- view_menu_id=view_menu.id,
- ),
- )
-
-
-def set_perm(mapper, connection, target): # noqa
-
- if target.perm != target.get_perm():
- link_table = target.__table__
- connection.execute(
- link_table.update()
- .where(link_table.c.id == target.id)
- .values(perm=target.get_perm()),
- )
-
- # add to view menu if not already exists
- merge_perm(security_manager, 'datasource_access', target.get_perm(), connection)
diff --git a/superset/security.py b/superset/security.py
index 0bfca36e9e..8ea8c04d09 100644
--- a/superset/security.py
+++ b/superset/security.py
@@ -383,3 +383,47 @@ def is_granter_pvm(self, pvm):
return pvm.permission.name in {
'can_override_role_permissions', 'can_approve',
}
+
+ def set_perm(self, mapper, connection, target): # noqa
+ if target.perm != target.get_perm():
+ link_table = target.__table__
+ connection.execute(
+ link_table.update()
+ .where(link_table.c.id == target.id)
+ .values(perm=target.get_perm()),
+ )
+
+ # add to view menu if not already exists
+ permission_name = 'datasource_access'
+ view_menu_name = target.get_perm()
+ permission = self.find_permission(permission_name)
+ view_menu = self.find_view_menu(view_menu_name)
+ pv = None
+
+ if not permission:
+ permission_table = self.permission_model.__table__ # noqa: E501 pylint: disable=no-member
+ connection.execute(
+ permission_table.insert()
+ .values(name=permission_name),
+ )
+ permission = self.find_permission(permission_name)
+ if not view_menu:
+ view_menu_table = self.viewmenu_model.__table__ # pylint: disable=no-member
+ connection.execute(
+ view_menu_table.insert()
+ .values(name=view_menu_name),
+ )
+ view_menu = self.find_view_menu(view_menu_name)
+
+ if permission and view_menu:
+ pv = self.get_session.query(self.permissionview_model).filter_by(
+ permission=permission, view_menu=view_menu).first()
+ if not pv and permission and view_menu:
+ permission_view_table = self.permissionview_model.__table__ # noqa: E501 pylint: disable=no-member
+ connection.execute(
+ permission_view_table.insert()
+ .values(
+ permission_id=permission.id,
+ view_menu_id=view_menu.id,
+ ),
+ )
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org