Allow GET from non-admins on data source resource

[gabrieldutra]

What type of PR is this? (check all applicable)

• Other

Description

This allows requests from non-admin users that have at least "view_only" permissions on the DS. Also adds the view_only information and limit the result information when the user is non-admin.

Reverts #4927 as with this the specific route can be used.

Reasoning: it removes the need for the "list_data_sources" permission when accessing the View Query page.

Related Tickets & Documents

--

Mobile & Desktop Screenshots/Recordings (if there are UI changes)

--

[arikfr]

See my comment about the issue with having this API call without permission.

To address the UI issue: let's address the case when you can't call this API and if the data source details aren't available just not show the data source label and assume user has view only access.

[arikfr]

It should still require some permission to view the data source details, because otherwise this API will be available when using the query API key...

Also, when the user doesn't have a list_data_sources permission it's very likely the admin wouldn't want them to see the details of the data source anyway.

Let's keep this new implementation, but still require list_data_sources permission here for now (ideally we would use a new permission, but this is a bit of a hassle to add).

[kravets-levko]

I suggested the same but late a bit 😅

[gabrieldutra]

Having "list_data_sources" doesn't fix the problem :(

Also, when the user doesn't have a list_data_sources permission it's very likely the admin wouldn't want them to see the details of the data source anyway

I had that in mind, that's why I put the "all" only when the user is an admin.

redash/redash/handlers/data_sources.py

Line 42 in 8fb5bc7

ds = data_source.to_dict(all=self.current_user.has_permission("admin"))

Basically we show exactly the same information we would show in the list resource if the user is not an admin.

I see your point anyway, just that if felt ok as the user would actually be "listing data sources". WDYT about only returning the { view_only: true/false } when the user doesn't have the list permission?

[gabrieldutra]

4958ec4 with "returning the { view_only: true/false } when the user doesn't have the list permission"

[arikfr]

I had that in mind, that's why I put the "all" only when the user is an admin.

By details I meant even the name or type.

[kravets-levko]

Please correct me if I misunderstand something:

1. for admins it will serialize all fields + view_only flags
2. for those who can list_data_sources it will serialize limited set of fields + view_only flags
3. for all others it will return just view_only flags

If so - it looks good. Maybe just add some comment to explain this logic, or split this one-liner to make it a bit easier to understand.

[gabrieldutra]

@kravets-levko correct, sorry if the code is a bit weird, for now I only made de simplest changes to what was there 😅

If @arikfr agrees with this flow I'll happily try to simplify the code (or add the explaining comment) + add tests to make sure it keeps working as it should.

[arikfr]

I guess this flow is fine, but we still need the relevant UI changes (hide data source if we don't have its name/type).

[gabrieldutra]

I've added tests and updated the code.

One extra thing to @kravets-levko flow that was not mentioned: The user has to either be an admin or have at least view permissions to follow to that flow, otherwise a 403 is returned.

[kravets-levko]

🚀