Skip to content

Commit

Permalink
fix: Gamma users shouldn't be able to create roles (#29687)
Browse files Browse the repository at this point in the history
(cherry picked from commit 7650c47)
  • Loading branch information
hughhhh authored and sadpandajoe committed Aug 27, 2024
1 parent b0a2aea commit fe33689
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 0 deletions.
6 changes: 6 additions & 0 deletions superset/security/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,12 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
"SQL Lab",
"User Registrations",
"User's Statistics",
# Guarding all AB_ADD_SECURITY_API = True REST APIs
"Role",
"Permission",
"PermissionViewMenu",
"ViewMenu",
"User",
} | USER_MODEL_VIEWS

ALPHA_ONLY_VIEW_MENUS = {
Expand Down
62 changes: 62 additions & 0 deletions tests/integration_tests/security/api_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
from superset.models.dashboard import Dashboard
from superset.utils.urls import get_url_host
from superset.utils import json
from tests.integration_tests.conftest import with_config
from tests.integration_tests.base_tests import SupersetTestCase
from tests.integration_tests.constants import ADMIN_USERNAME, GAMMA_USERNAME
from tests.integration_tests.fixtures.birth_names_dashboard import (
Expand Down Expand Up @@ -135,3 +136,64 @@ def test_post_guest_token_bad_resources(self):
)

self.assert400(response)


class TestSecurityRolesApi(SupersetTestCase):
uri = "api/v1/security/roles/" # noqa: F541

@with_config({"FAB_ADD_SECURITY_API": True})
def test_get_security_roles_admin(self):
"""
Security API: Admin should be able to get roles
"""
self.login(ADMIN_USERNAME)
response = self.client.get(self.uri)
self.assert200(response)

@with_config({"FAB_ADD_SECURITY_API": True})
def test_get_security_roles_gamma(self):
"""
Security API: Gamma should not be able to get roles
"""
self.login(GAMMA_USERNAME)
response = self.client.get(self.uri)
self.assert403(response)

@with_config({"FAB_ADD_SECURITY_API": True})
def test_post_security_roles_gamma(self):
"""
Security API: Gamma should not be able to create roles
"""
self.login(GAMMA_USERNAME)
response = self.client.post(
self.uri,
data=json.dumps({"name": "new_role"}),
content_type="application/json",
)
self.assert403(response)

@with_config({"FAB_ADD_SECURITY_API": True})
def test_put_security_roles_gamma(self):
"""
Security API: Gamma shouldnt be able to update roles
"""
self.login(GAMMA_USERNAME)
response = self.client.put(
f"{self.uri}1",
data=json.dumps({"name": "new_role"}),
content_type="application/json",
)
self.assert403(response)

@with_config({"FAB_ADD_SECURITY_API": True})
def test_delete_security_roles_gamma(self):
"""
Security API: Gamma shouldnt be able to delete roles
"""
self.login(GAMMA_USERNAME)
response = self.client.delete(
f"{self.uri}1",
data=json.dumps({"name": "new_role"}),
content_type="application/json",
)
self.assert403(response)
2 changes: 2 additions & 0 deletions tests/integration_tests/superset_test_config.py
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,8 @@ def GET_FEATURE_FLAGS_FUNC(ff):

ALERT_REPORTS_QUERY_EXECUTION_MAX_TRIES = 3

FAB_ADD_SECURITY_API = True


class CeleryConfig:
broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"
Expand Down

0 comments on commit fe33689

Please sign in to comment.