-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Refactor dashboard security access #24804
chore: Refactor dashboard security access #24804
Conversation
@@ -26,7 +26,6 @@ class SupersetErrorType(str, Enum): | |||
Types of errors that can exist within Superset. | |||
|
|||
Keep in sync with superset-frontend/src/components/ErrorMessage/types.ts | |||
and docs/src/pages/docs/Miscellaneous/issue_codes.mdx |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These docs no longer exist.
d1d627b
to
3a6710f
Compare
@@ -1852,6 +1867,45 @@ def raise_for_access( | |||
self.get_datasource_access_error_object(datasource) | |||
) | |||
|
|||
if dashboard: | |||
if self.is_guest_user(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Identical logic which was previously in raise_for_dashboard_access
.
Codecov Report
@@ Coverage Diff @@
## master #24804 +/- ##
==========================================
+ Coverage 68.96% 69.00% +0.03%
==========================================
Files 1906 1906
Lines 74122 74127 +5
Branches 8208 8208
==========================================
+ Hits 51116 51148 +32
+ Misses 20883 20856 -27
Partials 2123 2123
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 9 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
736bddb
to
dc7d725
Compare
@eschutho and @Vitor-Avila as mentioned in #24892 this refactor should help with your efforts in readdressing the problem outlined in #24808 as now the security_manager.raise_for_access(dashboard=dashboard, datasource=datasource) as opposed to security_manager.raise_for_access(datasource=datasource) or similar. |
dc7d725
to
32de355
Compare
32de355
to
b312294
Compare
thanks @john-bodley, that makes perfect sense! I'll wait for these changes to get merged too so I can update my fork and take a look at this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
(cherry picked from commit 5522fac)
SUMMARY
Whilst spelunking through the codebase recently in order to fix some dashboard RBAC issues I noticed the
raise_for_dashboard_access
method (drafted prior to #13235) which coincides with the more genericraise_for_access
method.This PR extends the previous intent to migrate the logic into the
raise_for_access
method which ensures all entity based access checks use the same call stack. Furthermore this approach allows for more context aware checks, i.e., whether a user has access to a dataset/datasource in the context of viewing a dashboard.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
CI.
ADDITIONAL INFORMATION