From fe3368991788133c4cad7ca798449c12a4a1f85c Mon Sep 17 00:00:00 2001 From: "Hugh A. Miles II" Date: Tue, 20 Aug 2024 20:14:20 -0400 Subject: [PATCH] fix: Gamma users shouldn't be able to create roles (#29687) (cherry picked from commit 7650c47e72f28559e91524f5d68d50c2060df4c7) --- superset/security/manager.py | 6 ++ tests/integration_tests/security/api_tests.py | 62 +++++++++++++++++++ .../integration_tests/superset_test_config.py | 2 + 3 files changed, 70 insertions(+) diff --git a/superset/security/manager.py b/superset/security/manager.py index 57a6321ccc784..5ee540b643f0c 100644 --- a/superset/security/manager.py +++ b/superset/security/manager.py @@ -238,6 +238,12 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods "SQL Lab", "User Registrations", "User's Statistics", + # Guarding all AB_ADD_SECURITY_API = True REST APIs + "Role", + "Permission", + "PermissionViewMenu", + "ViewMenu", + "User", } | USER_MODEL_VIEWS ALPHA_ONLY_VIEW_MENUS = { diff --git a/tests/integration_tests/security/api_tests.py b/tests/integration_tests/security/api_tests.py index 1fff519bd4309..c2d9b130cdc58 100644 --- a/tests/integration_tests/security/api_tests.py +++ b/tests/integration_tests/security/api_tests.py @@ -26,6 +26,7 @@ from superset.models.dashboard import Dashboard from superset.utils.urls import get_url_host from superset.utils import json +from tests.integration_tests.conftest import with_config from tests.integration_tests.base_tests import SupersetTestCase from tests.integration_tests.constants import ADMIN_USERNAME, GAMMA_USERNAME from tests.integration_tests.fixtures.birth_names_dashboard import ( @@ -135,3 +136,64 @@ def test_post_guest_token_bad_resources(self): ) self.assert400(response) + + +class TestSecurityRolesApi(SupersetTestCase): + uri = "api/v1/security/roles/" # noqa: F541 + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_get_security_roles_admin(self): + """ + Security API: Admin should be able to get roles + """ + self.login(ADMIN_USERNAME) + response = self.client.get(self.uri) + self.assert200(response) + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_get_security_roles_gamma(self): + """ + Security API: Gamma should not be able to get roles + """ + self.login(GAMMA_USERNAME) + response = self.client.get(self.uri) + self.assert403(response) + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_post_security_roles_gamma(self): + """ + Security API: Gamma should not be able to create roles + """ + self.login(GAMMA_USERNAME) + response = self.client.post( + self.uri, + data=json.dumps({"name": "new_role"}), + content_type="application/json", + ) + self.assert403(response) + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_put_security_roles_gamma(self): + """ + Security API: Gamma shouldnt be able to update roles + """ + self.login(GAMMA_USERNAME) + response = self.client.put( + f"{self.uri}1", + data=json.dumps({"name": "new_role"}), + content_type="application/json", + ) + self.assert403(response) + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_delete_security_roles_gamma(self): + """ + Security API: Gamma shouldnt be able to delete roles + """ + self.login(GAMMA_USERNAME) + response = self.client.delete( + f"{self.uri}1", + data=json.dumps({"name": "new_role"}), + content_type="application/json", + ) + self.assert403(response) diff --git a/tests/integration_tests/superset_test_config.py b/tests/integration_tests/superset_test_config.py index 0935714c54275..57d2ebd0f8ebe 100644 --- a/tests/integration_tests/superset_test_config.py +++ b/tests/integration_tests/superset_test_config.py @@ -138,6 +138,8 @@ def GET_FEATURE_FLAGS_FUNC(ff): ALERT_REPORTS_QUERY_EXECUTION_MAX_TRIES = 3 +FAB_ADD_SECURITY_API = True + class CeleryConfig: broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"