From f6f15f6098e805c5b12be8cafcab7c0001a28886 Mon Sep 17 00:00:00 2001 From: vera-liu Date: Thu, 9 Feb 2017 23:50:11 -0800 Subject: [PATCH] Only allow owners to overwrite slice (#2142) * Raise exception when date range is wrong * Only allow owner to overwrite a slice --- .../explorev2/components/SaveModal.js | 8 ++--- superset/views.py | 29 ++++++++++--------- superset/viz.py | 6 ++-- 3 files changed, 21 insertions(+), 22 deletions(-) diff --git a/superset/assets/javascripts/explorev2/components/SaveModal.js b/superset/assets/javascripts/explorev2/components/SaveModal.js index cb21bceff279c..2956f37ebb59c 100644 --- a/superset/assets/javascripts/explorev2/components/SaveModal.js +++ b/superset/assets/javascripts/explorev2/components/SaveModal.js @@ -6,7 +6,7 @@ import Select from 'react-select'; import { connect } from 'react-redux'; const propTypes = { - can_edit: PropTypes.bool, + can_overwrite: PropTypes.bool, onHide: PropTypes.func.isRequired, actions: PropTypes.object.isRequired, form_data: PropTypes.object, @@ -26,7 +26,7 @@ class SaveModal extends React.Component { newSliceName: '', dashboards: [], alert: null, - action: 'overwrite', + action: 'saveas', addToDash: 'noSave', }; } @@ -140,7 +140,7 @@ class SaveModal extends React.Component { } @@ -229,7 +229,7 @@ function mapStateToProps(state) { return { datasource: state.datasource, slice: state.slice, - can_edit: state.can_edit, + can_overwrite: state.can_overwrite, user_id: state.user_id, dashboards: state.dashboards, alert: state.saveModalAlert, diff --git a/superset/views.py b/superset/views.py index 606d98c653f5a..91c6feddbf92e 100755 --- a/superset/views.py +++ b/superset/views.py @@ -187,6 +187,11 @@ def wraps(self, *args, **kwargs): return functools.update_wrapper(wraps, f) +def is_owner(obj, user): + """ Check if user is owner of the slice """ + if obj.owners and user in obj.owners: + return True + return False def check_ownership(obj, raise_if_false=True): """Meant to be used in `pre_update` hooks on models to enforce ownership @@ -1582,7 +1587,7 @@ def explore(self, datasource_type, datasource_id): # slc perms slice_add_perm = self.can_access('can_add', 'SliceModelView') - slice_edit_perm = check_ownership(slc, raise_if_false=False) + slice_overwrite_perm = is_owner(slc, g.user) slice_download_perm = self.can_access('can_download', 'SliceModelView') # handle save or overwrite @@ -1591,7 +1596,7 @@ def explore(self, datasource_type, datasource_id): return self.save_or_overwrite_slice( request.args, slc, slice_add_perm, - slice_edit_perm, + slice_overwrite_perm, datasource_id, datasource_type) @@ -1600,7 +1605,7 @@ def explore(self, datasource_type, datasource_id): bootstrap_data = { "can_add": slice_add_perm, "can_download": slice_download_perm, - "can_edit": slice_edit_perm, + "can_overwrite": slice_overwrite_perm, "datasource": datasource.data, # TODO: separate endpoint for fetching datasources "form_data": form_data, @@ -1669,7 +1674,7 @@ def filter(self, datasource_type, datasource_id, column): mimetype="application/json") def save_or_overwrite_slice( - self, args, slc, slice_add_perm, slice_edit_perm, + self, args, slc, slice_add_perm, slice_overwrite_perm, datasource_id, datasource_type): """Save or overwrite a slice""" slice_name = args.get('slice_name') @@ -1690,7 +1695,7 @@ def save_or_overwrite_slice( if action in ('saveas') and slice_add_perm: self.save_slice(slc) - elif action == 'overwrite' and slice_edit_perm: + elif action == 'overwrite' and slice_overwrite_perm: self.overwrite_slice(slc) # Adding slice to a dashboard if requested @@ -1734,15 +1739,11 @@ def save_slice(self, slc): flash(msg, "info") def overwrite_slice(self, slc): - can_update = check_ownership(slc, raise_if_false=False) - if not can_update: - flash("You cannot overwrite [{}]".format(slc), "danger") - else: - session = db.session() - session.merge(slc) - session.commit() - msg = "Slice [{}] has been overwritten".format(slc.slice_name) - flash(msg, "info") + session = db.session() + session.merge(slc) + session.commit() + msg = "Slice [{}] has been overwritten".format(slc.slice_name) + flash(msg, "info") @api @has_access_api diff --git a/superset/viz.py b/superset/viz.py index 78990572d45a7..b4373d2feac52 100755 --- a/superset/viz.py +++ b/superset/viz.py @@ -163,8 +163,7 @@ def query_obj(self): until = extra_filters.get('__to') or form_data.get("until", "now") to_dttm = utils.parse_human_datetime(until) if from_dttm > to_dttm: - flasher("The date range doesn't seem right.", "danger") - from_dttm = to_dttm # Making them identical to not raise + raise Exception("From date cannot be larger than to date") # extras are used to query elements specific to a datasource type # for instance the extra where clause that applies only to Tables @@ -329,8 +328,7 @@ def get_values_for_column(self, column): until = form_data.get("until", "now") to_dttm = utils.parse_human_datetime(until) if from_dttm > to_dttm: - flasher("The date range doesn't seem right.", "danger") - from_dttm = to_dttm # Making them identical to not raise + raise Exception("From date cannot be larger than to date") kwargs = dict( column_name=column,