fix: Gamma users shouldn't be able to create roles (#29687)

2024-08-20 20:14:20 -04:00 · 2024-08-20 20:14:20 -04:00 · 7650c47e72
parent 1818054166
commit 7650c47e72
3 changed files with 70 additions and 0 deletions
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@ -238,6 +238,12 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
        "SQL Lab",
        "User Registrations",
        "User's Statistics",
+        # Guarding all AB_ADD_SECURITY_API = True REST APIs
+        "Role",
+        "Permission",
+        "PermissionViewMenu",
+        "ViewMenu",
+        "User",
    } | USER_MODEL_VIEWS

    ALPHA_ONLY_VIEW_MENUS = {
--- a/tests/integration_tests/security/api_tests.py
+++ b/tests/integration_tests/security/api_tests.py
@ -26,6 +26,7 @@ from superset.daos.dashboard import EmbeddedDashboardDAO
 from superset.models.dashboard import Dashboard
 from superset.utils.urls import get_url_host
 from superset.utils import json
+from tests.integration_tests.conftest import with_config
 from tests.integration_tests.base_tests import SupersetTestCase
 from tests.integration_tests.constants import ADMIN_USERNAME, GAMMA_USERNAME
 from tests.integration_tests.fixtures.birth_names_dashboard import (
@ -135,3 +136,64 @@ class TestSecurityGuestTokenApi(SupersetTestCase):
        )

        self.assert400(response)
+
+
+class TestSecurityRolesApi(SupersetTestCase):
+    uri = "api/v1/security/roles/"  # noqa: F541
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_get_security_roles_admin(self):
+        """
+        Security API: Admin should be able to get roles
+        """
+        self.login(ADMIN_USERNAME)
+        response = self.client.get(self.uri)
+        self.assert200(response)
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_get_security_roles_gamma(self):
+        """
+        Security API: Gamma should not be able to get roles
+        """
+        self.login(GAMMA_USERNAME)
+        response = self.client.get(self.uri)
+        self.assert403(response)
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_post_security_roles_gamma(self):
+        """
+        Security API: Gamma should not be able to create roles
+        """
+        self.login(GAMMA_USERNAME)
+        response = self.client.post(
+            self.uri,
+            data=json.dumps({"name": "new_role"}),
+            content_type="application/json",
+        )
+        self.assert403(response)
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_put_security_roles_gamma(self):
+        """
+        Security API: Gamma shouldnt be able to update roles
+        """
+        self.login(GAMMA_USERNAME)
+        response = self.client.put(
+            f"{self.uri}1",
+            data=json.dumps({"name": "new_role"}),
+            content_type="application/json",
+        )
+        self.assert403(response)
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_delete_security_roles_gamma(self):
+        """
+        Security API: Gamma shouldnt be able to delete roles
+        """
+        self.login(GAMMA_USERNAME)
+        response = self.client.delete(
+            f"{self.uri}1",
+            data=json.dumps({"name": "new_role"}),
+            content_type="application/json",
+        )
+        self.assert403(response)
--- a/tests/integration_tests/superset_test_config.py
+++ b/tests/integration_tests/superset_test_config.py
@ -137,6 +137,8 @@ ALERT_REPORTS_WORKING_TIME_OUT_KILL = True

 ALERT_REPORTS_QUERY_EXECUTION_MAX_TRIES = 3

+FAB_ADD_SECURITY_API = True
+

 class CeleryConfig:
    broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"