Skip to content

Commit

Permalink
Only allow owners to overwrite slice (#2142)
Browse files Browse the repository at this point in the history
* Raise exception when date range is wrong

* Only allow owner to overwrite a slice
  • Loading branch information
vera-liu authored and mistercrunch committed Feb 11, 2017
1 parent 15604ce commit f6f15f6
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 22 deletions.
8 changes: 4 additions & 4 deletions superset/assets/javascripts/explorev2/components/SaveModal.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import Select from 'react-select';
import { connect } from 'react-redux';

const propTypes = {
can_edit: PropTypes.bool,
can_overwrite: PropTypes.bool,
onHide: PropTypes.func.isRequired,
actions: PropTypes.object.isRequired,
form_data: PropTypes.object,
Expand All @@ -26,7 +26,7 @@ class SaveModal extends React.Component {
newSliceName: '',
dashboards: [],
alert: null,
action: 'overwrite',
action: 'saveas',
addToDash: 'noSave',
};
}
Expand Down Expand Up @@ -140,7 +140,7 @@ class SaveModal extends React.Component {
</Alert>
}
<Radio
disabled={!this.props.can_edit}
disabled={!this.props.can_overwrite}
checked={this.state.action === 'overwrite'}
onChange={this.changeAction.bind(this, 'overwrite')}
>
Expand Down Expand Up @@ -229,7 +229,7 @@ function mapStateToProps(state) {
return {
datasource: state.datasource,
slice: state.slice,
can_edit: state.can_edit,
can_overwrite: state.can_overwrite,
user_id: state.user_id,
dashboards: state.dashboards,
alert: state.saveModalAlert,
Expand Down
29 changes: 15 additions & 14 deletions superset/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,11 @@ def wraps(self, *args, **kwargs):

return functools.update_wrapper(wraps, f)

def is_owner(obj, user):
""" Check if user is owner of the slice """
if obj.owners and user in obj.owners:
return True
return False

def check_ownership(obj, raise_if_false=True):
"""Meant to be used in `pre_update` hooks on models to enforce ownership
Expand Down Expand Up @@ -1582,7 +1587,7 @@ def explore(self, datasource_type, datasource_id):

# slc perms
slice_add_perm = self.can_access('can_add', 'SliceModelView')
slice_edit_perm = check_ownership(slc, raise_if_false=False)
slice_overwrite_perm = is_owner(slc, g.user)
slice_download_perm = self.can_access('can_download', 'SliceModelView')

# handle save or overwrite
Expand All @@ -1591,7 +1596,7 @@ def explore(self, datasource_type, datasource_id):
return self.save_or_overwrite_slice(
request.args,
slc, slice_add_perm,
slice_edit_perm,
slice_overwrite_perm,
datasource_id,
datasource_type)

Expand All @@ -1600,7 +1605,7 @@ def explore(self, datasource_type, datasource_id):
bootstrap_data = {
"can_add": slice_add_perm,
"can_download": slice_download_perm,
"can_edit": slice_edit_perm,
"can_overwrite": slice_overwrite_perm,
"datasource": datasource.data,
# TODO: separate endpoint for fetching datasources
"form_data": form_data,
Expand Down Expand Up @@ -1669,7 +1674,7 @@ def filter(self, datasource_type, datasource_id, column):
mimetype="application/json")

def save_or_overwrite_slice(
self, args, slc, slice_add_perm, slice_edit_perm,
self, args, slc, slice_add_perm, slice_overwrite_perm,
datasource_id, datasource_type):
"""Save or overwrite a slice"""
slice_name = args.get('slice_name')
Expand All @@ -1690,7 +1695,7 @@ def save_or_overwrite_slice(

if action in ('saveas') and slice_add_perm:
self.save_slice(slc)
elif action == 'overwrite' and slice_edit_perm:
elif action == 'overwrite' and slice_overwrite_perm:
self.overwrite_slice(slc)

# Adding slice to a dashboard if requested
Expand Down Expand Up @@ -1734,15 +1739,11 @@ def save_slice(self, slc):
flash(msg, "info")

def overwrite_slice(self, slc):
can_update = check_ownership(slc, raise_if_false=False)
if not can_update:
flash("You cannot overwrite [{}]".format(slc), "danger")
else:
session = db.session()
session.merge(slc)
session.commit()
msg = "Slice [{}] has been overwritten".format(slc.slice_name)
flash(msg, "info")
session = db.session()
session.merge(slc)
session.commit()
msg = "Slice [{}] has been overwritten".format(slc.slice_name)
flash(msg, "info")

@api
@has_access_api
Expand Down
6 changes: 2 additions & 4 deletions superset/viz.py
Original file line number Diff line number Diff line change
Expand Up @@ -163,8 +163,7 @@ def query_obj(self):
until = extra_filters.get('__to') or form_data.get("until", "now")
to_dttm = utils.parse_human_datetime(until)
if from_dttm > to_dttm:
flasher("The date range doesn't seem right.", "danger")
from_dttm = to_dttm # Making them identical to not raise
raise Exception("From date cannot be larger than to date")

# extras are used to query elements specific to a datasource type
# for instance the extra where clause that applies only to Tables
Expand Down Expand Up @@ -329,8 +328,7 @@ def get_values_for_column(self, column):
until = form_data.get("until", "now")
to_dttm = utils.parse_human_datetime(until)
if from_dttm > to_dttm:
flasher("The date range doesn't seem right.", "danger")
from_dttm = to_dttm # Making them identical to not raise
raise Exception("From date cannot be larger than to date")

kwargs = dict(
column_name=column,
Expand Down

0 comments on commit f6f15f6

Please sign in to comment.