Only allow owners to overwrite slice (#2142)

* Raise exception when date range is wrong * Only allow owner to overwrite a slice
apache · Feb 14, 2017 · 85f92ea · 85f92ea
1 parent 1ae95a1
commit 85f92ea
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 22 deletions.
diff --git a/superset/assets/javascripts/explorev2/components/SaveModal.js b/superset/assets/javascripts/explorev2/components/SaveModal.js
@@ -6,7 +6,7 @@ import Select from 'react-select';
 import { connect } from 'react-redux';
 
 const propTypes = {
-  can_edit: PropTypes.bool,
+  can_overwrite: PropTypes.bool,
   onHide: PropTypes.func.isRequired,
   actions: PropTypes.object.isRequired,
   form_data: PropTypes.object,
@@ -26,7 +26,7 @@ class SaveModal extends React.Component {
       newSliceName: '',
       dashboards: [],
       alert: null,
-      action: 'overwrite',
+      action: 'saveas',
       addToDash: 'noSave',
     };
   }
@@ -140,7 +140,7 @@ class SaveModal extends React.Component {
             </Alert>
           }
           <Radio
-            disabled={!this.props.can_edit}
+            disabled={!this.props.can_overwrite}
             checked={this.state.action === 'overwrite'}
             onChange={this.changeAction.bind(this, 'overwrite')}
           >
@@ -229,7 +229,7 @@ function mapStateToProps(state) {
   return {
     datasource: state.datasource,
     slice: state.slice,
-    can_edit: state.can_edit,
+    can_overwrite: state.can_overwrite,
     user_id: state.user_id,
     dashboards: state.dashboards,
     alert: state.saveModalAlert,

diff --git a/superset/views.py b/superset/views.py
@@ -211,6 +211,11 @@ def wraps(self, *args, **kwargs):
 
     return functools.update_wrapper(wraps, f)
 
+def is_owner(obj, user):
+    """ Check if user is owner of the slice """
+    if obj.owners and user in obj.owners:
+        return True
+    return False
 
 def check_ownership(obj, raise_if_false=True):
     """Meant to be used in `pre_update` hooks on models to enforce ownership
@@ -1598,7 +1603,7 @@ def explore(self, datasource_type, datasource_id):
 
         # slc perms
         slice_add_perm = self.can_access('can_add', 'SliceModelView')
-        slice_edit_perm = check_ownership(slc, raise_if_false=False)
+        slice_overwrite_perm = is_owner(slc, g.user)
         slice_download_perm = self.can_access('can_download', 'SliceModelView')
 
         # handle save or overwrite
@@ -1607,7 +1612,7 @@ def explore(self, datasource_type, datasource_id):
             return self.save_or_overwrite_slice(
                 request.args,
                 slc, slice_add_perm,
-                slice_edit_perm,
+                slice_overwrite_perm,
                 datasource_id,
                 datasource_type)
 
@@ -1616,7 +1621,7 @@ def explore(self, datasource_type, datasource_id):
         bootstrap_data = {
             "can_add": slice_add_perm,
             "can_download": slice_download_perm,
-            "can_edit": slice_edit_perm,
+            "can_overwrite": slice_overwrite_perm,
             "datasource": datasource.data,
             # TODO: separate endpoint for fetching datasources
             "form_data": form_data,
@@ -1680,7 +1685,7 @@ def filter(self, datasource_type, datasource_id, column):
         return json_success(obj.get_values_for_column(column))
 
     def save_or_overwrite_slice(
-            self, args, slc, slice_add_perm, slice_edit_perm,
+            self, args, slc, slice_add_perm, slice_overwrite_perm,
             datasource_id, datasource_type):
         """Save or overwrite a slice"""
         slice_name = args.get('slice_name')
@@ -1701,7 +1706,7 @@ def save_or_overwrite_slice(
 
         if action in ('saveas') and slice_add_perm:
             self.save_slice(slc)
-        elif action == 'overwrite' and slice_edit_perm:
+        elif action == 'overwrite' and slice_overwrite_perm:
             self.overwrite_slice(slc)
 
         # Adding slice to a dashboard if requested
@@ -1745,15 +1750,11 @@ def save_slice(self, slc):
         flash(msg, "info")
 
     def overwrite_slice(self, slc):
-        can_update = check_ownership(slc, raise_if_false=False)
-        if not can_update:
-            flash("You cannot overwrite [{}]".format(slc), "danger")
-        else:
-            session = db.session()
-            session.merge(slc)
-            session.commit()
-            msg = "Slice [{}] has been overwritten".format(slc.slice_name)
-            flash(msg, "info")
+        session = db.session()
+        session.merge(slc)
+        session.commit()
+        msg = "Slice [{}] has been overwritten".format(slc.slice_name)
+        flash(msg, "info")
 
     @api
     @has_access_api

diff --git a/superset/viz.py b/superset/viz.py
@@ -163,8 +163,7 @@ def query_obj(self):
         until = extra_filters.get('__to') or form_data.get("until", "now")
         to_dttm = utils.parse_human_datetime(until)
         if from_dttm > to_dttm:
-            flasher("The date range doesn't seem right.", "danger")
-            from_dttm = to_dttm  # Making them identical to not raise
+            raise Exception("From date cannot be larger than to date")
 
         # extras are used to query elements specific to a datasource type
         # for instance the extra where clause that applies only to Tables
@@ -329,8 +328,7 @@ def get_values_for_column(self, column):
         until = form_data.get("until", "now")
         to_dttm = utils.parse_human_datetime(until)
         if from_dttm > to_dttm:
-            flasher("The date range doesn't seem right.", "danger")
-            from_dttm = to_dttm  # Making them identical to not raise
+            raise Exception("From date cannot be larger than to date")
 
         kwargs = dict(
             column_name=column,